Hello, I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2) against freeradius-2.2.8 and the following cases are failing with " [ttls] Tunneled challenge is incorrect": EAP-TTLS/CHAP EAP-TTLS/MSCHAP EAP-TTLS/MSCHAPv2 Interestingly the same tests with eapol_test from wpa_supplicat-2.4 (that is using TLS-1.0) are fine. I would be surprised if I was the first who tried to run these tests. Does anybody experienced the same issue? For configuration and test results please refer to the attached file. radiusd in debug mode write this: ... [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Tunneled challenge is incorrect [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 6 to 127.0.0.1 port 49816 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 The test configuration files looks like this: # cat EAP-TTLS_CHAP.conf ctrl_interface=wpa_supplicant.ctrl network={ ssid="QA test 802.1x network" key_mgmt=IEEE8021X eap=TTLS phase2="auth=CHAP" identity="testuser" anonymous_identity="anonymous" password="testpwd" ca_cert="/etc/raddb/certs/ca.pem" ca_cert2="/etc/raddb/certs/ca.pem" } The raiusd has the default configuration except: /etc/raddb/modules/mschap /etc/raddb/modules/pap /etc/raddb/eap.conf /etc/raddb/users and test certificates were created and added. For the details please see the attached file. The wpa_supplicant was built with the provided "defconfig" configuration. Regards, Patrik Kis