Hello All, I have been facing an issue with using tls1.3 in the freeradius. I have been using OpenWrt OS 24.10-rc2 hosted on a linksys router 3200acm. I have been using freeradius 3.2.5 and openssl 3.0.15. I am trying to setup a cert based authentication. My client is a linux system. My setup works fine when i set the tls min,max to 1.2 in the eap. Now i wanted to use it with tls1.3 and below is the error message that i am getting at the radius server: (2) Finished request Waking up in 0.1 seconds. (3) Received Access-Request Id 25 from 127.0.0.1:48027 to 127.0.0.1:1812 length 414 (3) Message-Authenticator = 0xc98320007899b6bb4770df4b55e42006 (3) User-Name = "user" (3) NAS-IP-Address = 127.0.0.1 (3) NAS-Identifier = "24f5a2c3707a" (3) Called-Station-Id = "24-F5-A2-C3-70-7A:WIFI_LNK_5G" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 1 (3) Calling-Station-Id = "C0-EE-40-45-49-8C" (3) Connect-Info = "CONNECT 54Mbps 802.11a" (3) Acct-Session-Id = "6F4499DCFDDEF213" (3) Attr-186 = 0x000fac04 (3) Attr-187 = 0x000fac04 (3) Attr-188 = 0x000fac01 (3) Framed-MTU = 1400 (3) EAP-Message = 0x02ff00c40d0016030100b9010000b503036218c045b79856a9894150ad6bbca3a09f0e1cd0191899d60097eb7db525a122000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (3) State = 0xeafcdefdea03d3f8dbd1dcc1dd69fc85 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) # Executing section authorize from file /etc/freeradius3/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "user", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 255 length 196 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius3/sites-enabled/default (3) authenticate { (3) eap: Removing EAP session with state 0xeafcdefdea03d3f8 (3) eap: Previous EAP request found for state 0xeafcdefdea03d3f8, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) EAP Got final fragment (190 bytes) (3) eap_tls: WARNING: (TLS) EAP Total received record fragments (190 bytes), does not equal expected expected data length (0 bytes) (3) eap_tls: (TLS) EAP Done initial handshake (3) eap_tls: (TLS) TLS - Handshake state - before SSL initialization (3) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (3) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (3) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (3) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal protocol_version (3) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version (3) eap_tls: ERROR: (TLS) TLS - Server : Error in error (3) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol (3) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (3) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (3) eap_tls: ERROR: [eaptls process] = fail (3) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (3) eap: Sending EAP Failure (code 4) ID 255 length 4 (3) eap: Failed in EAP select (3) [eap] = invalid (3) } # authenticate = invalid (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius3/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> user (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds (0) Cleaning up request packet ID 22 with timestamp +589 due to cleanup_delay was reached (1) Cleaning up request packet ID 23 with timestamp +589 due to cleanup_delay was reached Waking up in 0.2 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 25 from 127.0.0.1:1812 to 127.0.0.1:48027 length 44 (3) EAP-Message = 0x04ff0004 (3) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. I did update the eap file tls_min_version and tls_max_version to 1.3 Any help is highly appreciated. -Akhil