Hi, I'm integrating hostap's EAP library and its EAP supplicant state machine on an embedded device and am testing against the FreeRADIUS server. I've got MD5 authentication going (yes, I know this is open to attacks) and I have EAP-TTLS going as well. However, with EAP-TLS I'm getting the error as per subject of this email. I'm getting the same error if I set the EAP-TTLS config option "require_client_cert = yes". It definitely is a problem with the certificate, but I don't know what (or how to get more information about this). I created the test certificates and copied the ca.pem file to the device with my hostap EAP library and EAP supplicant state machine. The FreeRadius log: (4) Found Auth-Type = eap (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x05594454060d4948 (4) eap: Finished EAP session with state 0x05594454060d4948 (4) eap: Previous EAP request found for state 0x05594454060d4948, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: Continuing EAP-TLS (4) eap_tls: [eaptls verify] = ok (4) eap_tls: Done initial handshake (4) eap_tls: TLS_accept: SSLv3/TLS write server done (4) eap_tls: >>> send TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message tls: TLS_accept: Error in error (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:141A20F4:SSL routines:ossl_statem_server_read_transition:unexpected message (4) eap_tls: ERROR: System call (I/O) error (-1) (4) eap_tls: ERROR: TLS receive handshake failed during operation (4) eap_tls: ERROR: [eaptls process] = fail (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (4) eap: Sending EAP Failure (code 4) ID 84 length 4 (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject The wireshark log (for EAP-TLS) looks like this: No. Time Source Destination Protocol Length Info 16 2.721206 00:11:22:33:44:55 00:00:00:00:00:00 EAPOL 60 Start 17 2.722845 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP 60 Request, Identity 18 2.741815 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP 60 Response, Identity 19 2.746876 192.168.1.2 192.168.1.4 RADIUS 144 Access-Request id=166 42 2.752227 192.168.1.4 192.168.1.2 RADIUS 106 Access-Challenge id=166 46 2.756640 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP 60 Request, TLS EAP (EAP-TLS) 69 6.971847 00:11:22:33:44:55 cc:37:ab:cb:f6:98 TLSv1.2 226 Client Hello 70 7.084757 192.168.1.2 192.168.1.4 RADIUS 359 Access-Request id=65 112 7.149186 192.168.1.4 192.168.1.2 RADIUS 1110 Access-Challenge id=65 118 7.156721 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP 1022 Request, TLS EAP (EAP-TLS) 119 7.162062 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP 60 Response, TLS EAP (EAP-TLS) 120 7.166973 192.168.1.2 192.168.1.4 RADIUS 157 Access-Request id=136 141 7.170477 192.168.1.4 192.168.1.2 RADIUS 1110 Access-Challenge id=136 145 7.176735 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP 1022 Request, TLS EAP (EAP-TLS) 146 7.182956 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP 60 Response, TLS EAP (EAP-TLS) 147 7.188318 192.168.1.2 192.168.1.4 RADIUS 157 Access-Request id=166 166 7.191746 192.168.1.4 192.168.1.2 RADIUS 1063 Access-Challenge id=166 170 7.196867 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 TLSv1.2 975 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done 257 16.852519 00:11:22:33:44:55 cc:37:ab:cb:f6:98 TLSv1.2 150 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 258 16.882712 192.168.1.2 192.168.1.4 RADIUS 283 Access-Request id=56 290 17.929500 192.168.1.4 192.168.1.2 RADIUS 86 Access-Reject id=56 296 18.007949 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP 60 Failure Any ideas? Thanks in advance, Mike.