I am running freeradius-2.1.12. According to the last post of the following thread - http://lists.freeradius.org/pipermail/freeradius-users/2013-February/064927.... - it is possible to get radius to authenticate against PAM by configuring it to use PAP inside of TTLS. The first and final posts of that thread provide the configuration that the poster used to get it working. In /etc/freeradius/users, I have DEFAULT Auth-Type := PAM In /etc/pam.d/radiusd, I have the following: ## auth requisite /lib/arm-linux-gnueabihf/security/pam_google_authenticator.so secret=/home/${USER}/.google_authenticator nullok forward_pass auth sufficient pam_ldap.so use_first_pass auth required pam_unix.so use_first_pass ## In /etc/pam.d/sshd, I have the following lines immediately before the usual @include common-auth line: auth sufficient pam_radius_auth.so # Additionally, I have mimick'ed the configuration given in the aforementioned thread - the the eap.conf changes, and sites-enabled changes. This configuration works perfectly for ssh clients. It works for both ldap users and local unix users who ssh in from another linux box. I can see in /var/log/auth.log and the radius debug log that the user's verfication code is being checked and that their password is being checked against ldap. But this setup is not working for network devices such as iPad, that are connecting to a wireless access point, and trying to login with an ldap user. Said network devices do work but only for users explicitly given in the /etc/freeradius/users file with a plaintext password attribute. The wireless device is configured to use PAP inside TTLS, as per instructions here: http://cloudessa.com/tips-and-tricks/how-to-setup-eap-ttls-with-inner-pap-on... Freeradius debug log: EAP-Message = 0x0201000a017465737432 Message-Authenticator = 0xe3e9b79324821a27d40811ef6a24de9a Fri Jan 22 23:43:36 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Fri Jan 22 23:43:36 2016 : Info: +- entering group authorize {...} Fri Jan 22 23:43:36 2016 : Info: ++[preprocess] returns ok Fri Jan 22 23:43:36 2016 : Info: ++[chap] returns noop Fri Jan 22 23:43:36 2016 : Info: ++[mschap] returns noop Fri Jan 22 23:43:36 2016 : Info: ++[digest] returns noop Fri Jan 22 23:43:36 2016 : Info: [suffix] No '@' in User-Name = "test2", looking up realm NULL Fri Jan 22 23:43:36 2016 : Info: [suffix] No such realm "NULL" Fri Jan 22 23:43:36 2016 : Info: ++[suffix] returns noop Fri Jan 22 23:43:36 2016 : Info: [eap] EAP packet type response id 1 length 10 Fri Jan 22 23:43:36 2016 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jan 22 23:43:36 2016 : Info: ++[eap] returns updated Fri Jan 22 23:43:36 2016 : Info: [files] users: Matched entry DEFAULT at line 216 Fri Jan 22 23:43:36 2016 : Info: ++[files] returns ok Fri Jan 22 23:43:36 2016 : Info: ++[expiration] returns noop Fri Jan 22 23:43:36 2016 : Info: ++[logintime] returns noop Fri Jan 22 23:43:36 2016 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Fri Jan 22 23:43:36 2016 : Info: ++[pap] returns noop Fri Jan 22 23:43:36 2016 : Info: Found Auth-Type = PAM Fri Jan 22 23:43:36 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Fri Jan 22 23:43:36 2016 : Info: +- entering group authenticate {...} Fri Jan 22 23:43:36 2016 : Auth: rlm_pam: Attribute "User-Password" is required for authentication. Fri Jan 22 23:43:36 2016 : Info: ++[pam] returns invalid Fri Jan 22 23:43:36 2016 : Info: Failed to authenticate the user. Fri Jan 22 23:43:36 2016 : Info: Using Post-Auth-Type Reject Fri Jan 22 23:43:36 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Fri Jan 22 23:43:36 2016 : Info: +- entering group REJECT {...} - Michael Martinez -- ---