Hello everybody, I didn't find a thread with exactly my problem, so I start a new thread. I'm having problem with new certs in my freeradius server. I did what README file but didn't work for me. in radiusd -X log I see this: (14) Received Access-Request Id 143 from 192.168.100.149:43928 to 10.0.130.23:1812 length 343 (14) User-Name = "usuario" (14) Called-Station-Id = "C4-E9-84-91-2E-FE:OpenWrt" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port = 1 (14) Calling-Station-Id = "28-56-5A-0B-6D-83" (14) Connect-Info = "CONNECT 54Mbps 802.11g" (14) Acct-Session-Id = "59BA907E-00000018" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Framed-MTU = 1400 (14) EAP-Message = 0x02e70090198000000086160301004610000042410492d1ad5ac120e777664ce20c7c650f4e41bc63a2eca81c1dbe4823c38737e4b81569bf9ec7f238534875e6f5b1525501127a1b9d59f780572d294986bb2f82091403010001011603010030d0e814aba78d0c8affc8aca00d5577364bcf5880d8616f (14) State = 0x64dfe0536738f990f317a982d66da244 (14) Message-Authenticator = 0x5340ff52aba979858d1a8e7d661ac258 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/raddb/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (!&User-Name) { (14) if (!&User-Name) -> FALSE (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@.*@/ ) { (14) if (&User-Name =~ /@.*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "usuario", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 231 length 144 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/raddb/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x64dfe0536738f990 (14) eap: Finished EAP session with state 0x64dfe0536738f990 (14) eap: Previous EAP request found for state 0x64dfe0536738f990, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 134 bytes (14) eap_peap: Got complete TLS record (134 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (14) eap_peap: TLS_accept: SSLv3 read client key exchange A (14) eap_peap: TLS_accept: SSLv3 read certificate verify A (14) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (14) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (14) eap_peap: TLS_accept: SSLv3 read finished A (14) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (14) eap_peap: TLS_accept: SSLv3 write change cipher spec A (14) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (14) eap_peap: TLS_accept: SSLv3 write finished A (14) eap_peap: TLS_accept: SSLv3 flush data (14) eap_peap: (other): SSL negotiation finished successfully (14) eap_peap: SSL Connection Established (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 232 length 65 (14) eap: EAP session adding &reply:State = 0x64dfe0536037f990 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Sent Access-Challenge Id 143 from 10.0.130.23:1812 to 192.168.100.149:43928 length 0 (14) EAP-Message = 0x01e80041190014030100010116030100307ed7fccb2ae6411aaf4df33748b8b02954729256ddd506ace2d362f9cd28c4e05489136e8cbd84abb28b3d0921f1300a (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x64dfe0536037f990f317a982d66da244 (14) Finished request (14) Cleaning up request packet ID 143 with timestamp +187 Ready to process requests up to here, everything seems right. but when I start service, in service log I see this: Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) Thu Sep 14 14:09:13 2017 : Auth: (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [usuario] (from client wrtnicolas.fder port 1 cli 28-56-5A-0B-6D-83) any help will be wellcome. saludos/greetings Nicolás.