hi, quick look seems to show that you dont have a suitable authorise section in the inner tunnel.
the tunnel gets started...your client rejects the default md5 the server sent - and EAP-TTLS gets done...the username/password gets sent but has nothing to go against.... so I suggest you add 'ldap' to the inner-tunnel virtual server (in same way that ldap and LDAP are defined in default server...) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html