Thank you Alan, I commented out section cache in file mods-enabled/eap but the result is I can't connect at all and here is debug output: Sat Dec 5 16:12:27 2015 : Debug: (4) eap : Calling eap_tls to process EAP data Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : Authenticate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : processing EAP-TLS Sat Dec 5 16:12:27 2015 : Debug: TLS Length 1414 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : Length Included Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : eaptls_verify returned 11 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 03fa], Certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : chain-depth=1, Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : error=0 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> User-Name = mib@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> BUF-Name = SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> subject = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.com/CN=SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> issuer = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.com/CN=SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> verify return:1 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : chain-depth=0, Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : error=0 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> User-Name = mib@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> BUF-Name = mib@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> subject = /C=CZ/ST=CzechRepublic/O=AIB/CN=mib@example.com/emailAddress=it@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> issuer = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.com/CN=SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> verify return:1 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read client certificate A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read client key exchange A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read certificate verify A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read finished A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 write change cipher spec A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 write finished A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 flush data Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : (other): SSL negotiation finished successfully Sat Dec 5 16:12:27 2015 : Debug: SSL Connection Established Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : eaptls_process returned 13 Sat Dec 5 16:12:27 2015 : Debug: (4) eap : New EAP session, adding 'State' attribute to reply 0x0701786703067527 Sat Dec 5 16:12:27 2015 : Debug: (4) modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Sat Dec 5 16:12:27 2015 : Debug: (4) [eap] = handled Sat Dec 5 16:12:27 2015 : Debug: (4) } # authenticate = handled Sat Dec 5 16:12:27 2015 : Debug: (4) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=180, length=0 Sat Dec 5 16:12:27 2015 : Debug: (4) EAP-Message = 0x010700450d800000003b14030100010116030100308c4c70cee63e7eccf2311eceedf4f1af7a41904352e4f549283dcd48e7fee6b9f69c511e61b12859905e9d6eda8bbc7d Sat Dec 5 16:12:27 2015 : Debug: (4) Message-Authenticator = 0x00000000000000000000000000000000 Sat Dec 5 16:12:27 2015 : Debug: (4) State = 0x07017867030675271a926a176ed75fb9 Sending Access-Challenge Id 180 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010700450d800000003b14030100010116030100308c4c70cee63e7eccf2311eceedf4f1af7a41904352e4f549283dcd48e7fee6b9f69c511e61b12859905e9d6eda8bbc7d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07017867030675271a926a176ed75fb9 Sat Dec 5 16:12:27 2015 : Debug: (4) Finished request Sat Dec 5 16:12:27 2015 : Debug: Waking up in 0.2 seconds. Received Access-Request Id 181 from 172.16.0.20:32769 to 172.16.110.17:1812 length 273 User-Name = 'mib@example.com' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Gracian