MS-CHAP doesn't send a password; it's a challenge/response authentication type, that requires the server to have access to the plaintext password, NT hash, or an oracle. See here: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html In short - what you're doing is impossible, with the auth types you're using. Only TTLS/PAP gives you access to the password. Even if it were possible, you're doing it entirely wrong; you don't return a succeed/fail in the authorize section. And if you know the plaintext password for comparison reasons, you should just tell it to FreeRADIUS. You've also broken the default configs horribly by removing all the modules in the inner tunnel config (which is why the request isn't detected as MSCHAP). Basically - don't do that, it won't work.