EAP-TLS with Google Secure LDAP - iPhone authentication issue

[Helder Miolo]

Hello, I am running FreeRADIUS 3.0 on Ubuntu 24.04. I am trying to
authenticate users via WPA2-Enterprise using Google Secure LDAP as the
backend.It turns out that Android phones are working perfectly, but iPhones
are experiencing a similar error:

5) ldap: ERROR: Attribute "User-Password" is required for authentication
(5)       [ldap] = invalid
(5)     } # Auth-Type LDAP = invalid
(5)   Failed to authenticate the user
(5)   Using Post-Auth-Type Reject
(5)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5)     Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> 706130272 at ucm.ac.mz
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5)       [attr_filter.access_reject] = updated
(5)       update outer.session-state {
(5)         &Module-Failure-Message := &request:Module-Failure-Message ->
'ldap: Attribute "User-Password" is required for authentication'
(5)       } # update outer.session-state = noop
(5)     } # Post-Auth-Type REJECT = updated
(5)   Login incorrect (ldap: Attribute "User-Password" is required for
authentication): [706130272 at ucm.ac.mz] (from client ap4 port 0 cli
7E-F4-29-39-B9-0F via TLS tunnel)
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
failed

Problem:
 - IPhone forces MSCHAPv2 even when EAP-TTLS/PAP is configured
-  radtest with PAP works successfully

Current configuration:
- eap.conf: default_eap_type = ttls, ttls { default_eap_type = pap }
 - inner-tunnel: Auth-Type PAP and LDAP configured
- libldap is using GnuTLS while FreeRADIUS uses OpenSSL (Ubuntu 24.04 issue)