The only case I know of where a client has attempted to negotiate TLS 1.3 (for peap) is an Ubuntu 18.04 client running OpenSSL 1.1.1 and it fails during TLS negotiation with our FreeRADIUS server which is v3.0.17 on RHEL 7.6 with OpenSSL 1.1.1c. Do we know with any certainty whether this is a problem with OpenSSL, FreeRADIUS or something else with the peers? I can resolve the problem by setting “tls_max_version = ‘1.2’” but would like to see the negotiation for 1.3 succeed. The failure is early, in the request immediately following the EAP Identity. Here is the relevant debug info. (126) fsu-eap: Calling submodule eap_peap to process data (126) eap_peap: Continuing EAP-TLS (126) eap_peap: Peer sent flags --L (126) eap_peap: Peer indicated complete TLS record size will be 289 bytes (126) eap_peap: Got complete TLS record (289 bytes) (126) eap_peap: [eaptls verify] = length included (126) eap_peap: (other): before SSL initialization (126) eap_peap: TLS_accept: before SSL initialization Ignoring cbtls_msg call with pseudo content type 256, version 0 (126) eap_peap: TLS_accept: before SSL initialization (126) eap_peap: <<< recv TLS 1.3 [length 011c] (126) eap_peap: TLS_accept: SSLv3/TLS read client hello Ignoring cbtls_msg call with pseudo content type 256, version 0 (126) eap_peap: >>> send TLS 1.3 [length 0058] (126) eap_peap: TLS_accept: SSLv3/TLS write server hello Ignoring cbtls_msg call with pseudo content type 256, version 0 (126) eap_peap: >>> send TLS 1.3 [length 0001] (126) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (126) eap_peap: TLS_accept: TLSv1.3 early data (126) eap_peap: TLS_accept: Need to read more data: TLSv1.3 early data (126) eap_peap: TLS - In Handshake Phase (126) eap_peap: TLS - Failed getting session (126) eap_peap: TLS receive handshake failed during operation (126) eap_peap: [eaptls process] = fail (126) fsu-eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed (126) fsu-eap: Sending EAP Failure (code 4) ID 2 length 4 (126) fsu-eap: Failed in EAP select (126) modsingle[authenticate]: returned from fsu-eap (rlm_eap) (126) [fsu-eap] = invalid (126) } # Auth-Type fsu-eap = invalid (126) Failed to authenticate the user (126) Using Post-Auth-Type Reject Doug Wussler Florida State University