Many thanks for your answer.
if you dont want your server to do PEAP , then remove it from the EAP config....
I did, but now I'm receiving errors when running the server with the -X option: Certificate Compatibility.
however, how are you dealing with clients - as most still dont do EAP-TTLS/PAP (and if doing EAP-TTLS/PAP you cannot ensure that the client is correctly, securely configured - which for a PAP mathod is pretty much essential).
What do you mean with "dealing with clients"? Is there any client config error which may cause sending the password not inside the TLS-Tunnel? And what do you mean with client: The NAS or the dial up client? But also using a CHAP-Password would then not lead to an improved security when sending it not via the encrypted tunnel, does it? Many thanks and best regards Jens