Alright, I took your suggestions to heart and installed ubuntu+freeradius 3.0 from scratch. configured the users and clients configs so that I can connect. Testing with peap: Access-Accept. OK Then used the CA.pl with -newca -newreq-nodes -sign Made a dh file and copied the random with dd to another folder for easier access eap.conf eap default_eap_type = peap tls-config tls-common put in the key file, certificate file, dh file, random file and ca file ca_path =/etc/freeradius/3.0/eap/eapCA/ then enabled verify { tmpdir = /etc/freeradius/3.0/tmp client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } no change in peap peap { tls = tls-common .... } Now if I start freeradius -X and connect I still get an Access-Accept even though my client doesnt have the correct client certificate (because I never created it). And if I scroll up in the debug mode I get a eap_peap: [eaptls verify] = ok Why does my server not verify the client correctly (or at all) Thanks for any input/help Tweet