Hi, This is just a comment on the default radiusd.conf provided information. In the authenticate section of the default radiusd.conf I can read about "Auth-Type LDAP": <quote> # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. </quote> While usually true, this assumption is a little confusing sometimes. Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its inside authentication protocol, a cleartext password is provided to Freeradius which is then able to use a simple ldap bind exchange to authenticate the user. Could we replace with something like that <quote> # Note that this means "check plain-text password against # the ldap database", which means that most EAP types won't work # as they do not supply a plain-text password (unless you use a # composite EAP scheme with and inner cleartext-enabled protocol # such as EAP-TTLS/PAP) </quote> But this is a little tricky... Or more simply: <quote> # Note that this means "check plain-text password against # the ldap database", which means that most EAP types won't work # as they do not supply a plain-text password # (an exception beeing EAP-TTLS with inner PAP authentication) </quote> The second one could be less confusing for people trying to setup EAP-TTLS/PAP on ldap directories but of course this is not a big deal... Thibault