Freeradius not expanding %{User-Password} (EAP-TTLS with MD5 authentication)

[Phil Mayers]

MS-CHAP doesn't send a password; it's a challenge/response 
authentication type, that requires the server to have access to the 
plaintext password, NT hash, or an oracle. See here:

http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html

In short - what you're doing is impossible, with the auth types you're 
using. Only TTLS/PAP gives you access to the password.

Even if it were possible, you're doing it entirely wrong; you don't 
return a succeed/fail in the authorize section. And if you know the 
plaintext password for comparison reasons, you should just tell it to 
FreeRADIUS.

You've also broken the default configs horribly by removing all the 
modules in the inner tunnel config (which is why the request isn't 
detected as MSCHAP).

Basically - don't do that, it won't work.