Hello everyone! I have a weird issue with freeradius 3.0.16. I try to implement an auth exchange with the RADIUS, requesting EAP-TLS. At this moment I only need to get to the phase when server responds with Access-Challenge with server certificate (so, 2 packets from NAD and 2 from the server). To generate NAD-side packets I use python3 with scapy. Freeradius was set up to use EAP-TLS for test user auth. First access-request from the NAD side is responded with Access-Challenge from the server. So far so good. But when I send the second packet, I receive an Access-Reject. Suprisingly, the server reports I'm using unsupported TLS version ?0304?. Why "surprizingly"? Well, because I use earlier TLS version, and it is well visible even in server debugs (if you check "eap message" part, where is "0301"). I also checked in Wireshark (captured both on the server machine and "NAD" machine) - the packet is correctly dissected by latest wireshark and has TLS1.1 inside. Caching is disabled. OpenSSL is already at the newest version (1.1.1-1ubuntu2.1~18.04.5). I tried to rebuild my VM from scratch (so again, installed Ubuntu 18, freeradius 3.0.16, etc) - but the issue persists. Here is the debug: Ready to process requests (0) Received Access-Request Id 200 from 192.168.0.14:53256 to 192.168.0.59:1812 length 67 (0) Service-Type = Framed-User (0) User-Name = "test" (0) Framed-MTU = 1500 (0) EAP-Message = 0x020500090174657374 (0) Message-Authenticator = 0xefe697c97fd0118935d39e9a25d6baff (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]@/ ) { (0) if (&User-Name =~ /@[^@]@/ ) -> FALSE (0) if (&User-Name =~ /../ ) { (0) if (&User-Name =~ /../ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (0) if (&User-Name =~ /.$/) { (0) if (&User-Name =~ /.$/) -> FALSE (0) if (&User-Name =~ /@./) { (0) if (&User-Name =~ /@./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Feb 14 15:03:01 2020 (0) [auth_log] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 5 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new EAP-TLS session (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 6 length 6 (0) eap: EAP session adding &reply:State = 0xe879495de87f44cf (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 200 from 192.168.0.59:1812 to 192.168.0.14:53256 length 0 (0) EAP-Message = 0x010600060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe879495de87f44cfa950f055cfc4b84d (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 201 from 192.168.0.14:53256 to 192.168.0.59:1812 length 163 (1) Service-Type = Framed-User (1) User-Name = "test" (1) Framed-MTU = 1500 (1) EAP-Message = 0x020600570d800000004d16030100480100004403015e43c51b0000000000000000000000000000000000000000000000000000000000001600040005000a0009006400620003000600130012006301000005ff01000100 (1) State = 0xe879495de87f44cfa950f055cfc4b84d (1) Message-Authenticator = 0x70eca9c059289b575655c08683064d67 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]@/ ) { (1) if (&User-Name =~ /@[^@]@/ ) -> FALSE (1) if (&User-Name =~ /../ ) { (1) if (&User-Name =~ /../ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (1) if (&User-Name =~ /.$/) { (1) if (&User-Name =~ /.$/) -> FALSE (1) if (&User-Name =~ /@./) { (1) if (&User-Name =~ /@./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214 (1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214 (1) auth_log: EXPAND %t (1) auth_log: --> Fri Feb 14 15:03:01 2020 (1) [auth_log] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "test", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 6 length 87 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xe879495de87f44cf (1) eap: Finished EAP session with state 0xe879495de87f44cf (1) eap: Previous EAP request found for state 0xe879495de87f44cf, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Peer indicated complete TLS record size will be 77 bytes (1) eap_tls: Got complete TLS record (77 bytes) (1) eap_tls: [eaptls verify] = length included (1) eap_tls: (other): before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (1) eap_tls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (1) eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (1) eap_tls: ERROR: System call (I/O) error (-1) (1) eap_tls: ERROR: TLS receive handshake failed during operation (1) eap_tls: ERROR: [eaptls process] = fail (1) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (1) eap: Sending EAP Failure (code 4) ID 6 length 4 (1) eap: Failed in EAP select (1) [eap] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject What could be wrong here? Where should I debug further? Thanks a ton in advance for any hints! Cheers, Iron