I use FR 2.1.1 for WPA authentication, using TTLS+MSCHAPv2 and LDAP to store users and passwords (in LM/NT hash format). I tried several configurations: Configuration 1: - no changes in sites-enabled/default; - in sites-enabled/inner-tunnel uncommented "ldap" in authorize and "Auth-Type LDAP" in authenticate. Result: users get access even with an incorrect password. Why? Configuration 2: - in sites-enabled/default uncommented "ldap" in authorize and "Auth-Type LDAP" in authenticate; - no changes in sites-enabled/inner-tunnel. Result: users aren't authenticated. Configuration 3: - in sites-enabled/default uncommented "Auth-Type LDAP" in authenticate; - in sites-enabled/inner-tunnel uncommented "ldap" in authorize. Result: it seems to work correctly, users get access only with a correct password. I can't understand well the flow of the process between the two virtual servers :(