Hi, As explained in previous mails of the thread, FreeRadius EAP-TLS support is broken (the EAP encapsulated TLS ChangeCipherSpec and TLS Finished messages are not sent). Bisecting the issue led me here: commit b51a3a82edb797f5d0a2758bd1a38359d6f66803 Author: Alan T. DeKok <aland@freeradius.org> Date: Sun Aug 24 10:04:55 2008 +0200 Clean up debug && log messages AFAICT, the test that prevented eaptls_ack_handler() to return EAPTLS_SUCCESS *before* flushing remaining local messages (i.e. returning EAPTLS_REQUEST so that they be sent to the peer to complete the TLS handshake) was removed in that commit. The patch below is against current git tree. With Axel, we tested the fix with 2.1.3: it corrects the issue. Cheers, a+ Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Tested-by: Axel Tillequin <axel.tillequin@gmail.com> --- src/modules/rlm_eap/libeap/eap_tls.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index cd95bec..42edbed 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -330,7 +330,8 @@ static eaptls_status_t eaptls_ack_handler(EAP_HANDLER *handler) return EAPTLS_FAIL; case handshake: - if (tls_session->info.handshake_type == finished) { + if ((tls_session->info.handshake_type == finished) && + (tls_session->dirty_out.used == 0)) { RDEBUG2("ACK handshake is finished"); /* -- 1.5.6.5