I'm in the process of capturing the Wireshark traces with TLS decryption, but I just noticed that Freeradius crashes (or terminated) after a while and thought this would be an interesting find: Ready to process requests (334) Received Access-Request Id 210 from 192.168.1.2:1987 to 192.168.1.4:1812 length 108 (334) User-Name = "anonymous" (334) NAS-Port = 24 (334) NAS-Port-Id = "24" (334) Calling-Station-Id = "00-19-B8-01-79-D9" (334) EAP-Message = 0x026a000e01616e6f6e796d6f7573 (334) NAS-Port-Type = Ethernet (334) Message-Authenticator = 0xdfcd2705ee72509eecf6c3e600dcc672 (334) NAS-IP-Address = 192.168.1.2 (334) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (334) authorize { (334) policy filter_username { (334) if (&User-Name) { (334) if (&User-Name) -> TRUE (334) if (&User-Name) { (334) if (&User-Name =~ / /) { (334) if (&User-Name =~ / /) -> FALSE (334) if (&User-Name =~ /@[^@]*@/ ) { (334) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (334) if (&User-Name =~ /\.\./ ) { (334) if (&User-Name =~ /\.\./ ) -> FALSE (334) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (334) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (334) if (&User-Name =~ /\.$/) { (334) if (&User-Name =~ /\.$/) -> FALSE (334) if (&User-Name =~ /@\./) { (334) if (&User-Name =~ /@\./) -> FALSE (334) } # if (&User-Name) = notfound (334) } # policy filter_username = notfound (334) [preprocess] = ok (334) [chap] = noop (334) [mschap] = noop (334) [digest] = noop (334) suffix: Checking for suffix after "@" (334) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (334) suffix: No such realm "NULL" (334) [suffix] = noop (334) eap: Peer sent EAP Response (code 2) ID 106 length 14 (334) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (334) [eap] = ok (334) } # authorize = ok (334) Found Auth-Type = eap (334) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (334) authenticate { (334) eap: Peer sent packet with method EAP Identity (1) (334) eap: Calling submodule eap_tls to process data (334) eap_tls: (TLS) Initiating new session (334) eap_tls: (TLS) Setting verify mode to require certificate from client (334) eap: Sending EAP Request (code 1) ID 107 length 6 (334) eap: EAP session adding &reply:State = 0x5a501c065a3b1144 (334) [eap] = handled (334) } # authenticate = handled (334) Using Post-Auth-Type Challenge (334) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (334) Challenge { ... } # empty sub-section is ignored (334) session-state: Saving cached attributes (334) Framed-MTU = 994 (334) Sent Access-Challenge Id 210 from 192.168.1.4:1812 to 192.168.1.2:1987 length 0 (334) EAP-Message = 0x016b00060d20 (334) Message-Authenticator = 0x00000000000000000000000000000000 (334) State = 0x5a501c065a3b114455a3bcc90888424a (334) Finished request Waking up in 4.9 seconds. (335) Received Access-Request Id 65 from 192.168.1.2:1988 to 192.168.1.4:1812 length 320 (335) User-Name = "anonymous" (335) NAS-Port = 24 (335) NAS-Port-Id = "24" (335) Calling-Station-Id = "00-19-B8-01-79-D9" (335) EAP-Message = 0x026b00d00d0016030300c5010000c1030349805d93404b82da96e2c4d11d21164899a0e804068aa661c4d4e66508f59a72000066c02cc02bc030c02f009f009e009d009cc02ec02dc032c031c027c023c029c025c028c024c02ac026c00ac005c009c004c007c002c008c003c014c00fc013c00ec011c00cc012c00d006b0067003900330016003d003c0035002f00050004000a00fb00fc00fd01000032000d0012001006030503040302030601050104010201000b00020100000a000e000c00190018001700150013001000170000 (335) State = 0x5a501c065a3b114455a3bcc90888424a (335) NAS-Port-Type = Ethernet (335) Message-Authenticator = 0x34e230e65cd0d63361bc0d3e17314e00 (335) NAS-IP-Address = 192.168.1.2 talloc: access after free error - first free may be at src/main/state.c:364 Bad talloc magic value - access after free talloc abort: Bad talloc magic value - access after free Backtrace of last 4294967295 frames: Abort