I am running freeradius-1.0.4 on SLES10, XP supplicant and Cisco Aironet 1200 AP. My goal is to authenticate against the "users" file and use WEP with eap-tls. I am trying to support Windows CE, and PEAP is not an option. users: 0213dec2114a Auth-Type:=Accept Service-Type = Framed-User, Tunnel-Private-Group-ID := 116, Tunnel-Medium-Type := IEEE-802 eap.conf: eap { default_eap_type = tls tls { private_key_password = secret private_key_file = ${raddbdir}/certs/private/radius.key certificate_file = /etc/raddb/certs/radius.crt # Trusted Root CA list CA_file = /etc/raddb/certs/CA.crt dh_file = ${raddbdir}/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } } radiusd.conf: authorize { auth_log files eap } authenticate { eap } I have uploaded both the CA andd certificate file to the supplicant, as trusted certificates. For some reason, I continue to see the balloon from windows indicating that a valid certificate could not be found for comparison. I have followed the PDF instructions found in EAPTLS.pdf. Here is a sample of my radiusd -X -s logs: rad_recv: Access-Request packet from host 192.168.214.99:1645, id=39, length=115 User-Name = "0213dec2114a" User-Password = "Qp\203e\206%\010`\256\243\203u;\362\321\017" Called-Station-Id = "0014.6a73.6110" Calling-Station-Id = "0213.dec2.114a" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 551 NAS-IP-Address = 192.168.214.99 NAS-Identifier = "AP-99" rad_rmspace_pair: User-Password now 'Qp?d?%?`?u;?' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 radius_xlat: '/var/log/radius/radius-MAC/radacct/auth-detail-20070829' rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct//auth-detail-20070829 modcall[authorize]: module "auth_log" returns ok for request 2 users: Matched entry 0213dec2114a at line 38 modcall[authorize]: module "files" returns ok for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 2 radius_xlat: '/var/log/radius/radius-MAC/radacct/reply-detail-20070829' rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct/reply-detail-20070829 modcall[post-auth]: module "reply_log" returns ok for request 2 modcall: group post-auth returns ok for request 2 Sending Access-Accept of id 39 to 192.168.214.99:1645 Service-Type = Framed-User Tunnel-Private-Group-Id:0 := "116" Tunnel-Medium-Type:0 := IEEE-802 Finished request 2 Going to the next request --- Walking the entire request list --- ...this transaction is repeated over and over and over again. I have also tried commenting out all instances of "eap" from radiusd.conf, hoping to do non-wep mac address authentication, as a list effort. I then remove WEP support from the supplicant and Cisco AP. While freeradius reports "access-accept", the supplicant hangs on obtaining an ip address (with no related logs shown on my dhcp server) and the cisco AP reports "GMT: %DOT11-7-AUTH_FAILED: Station 0213.dec2.114a Authentication failed" --johnk