Ok I've upgraded to freeradius-server-3.0.11 Below is the output I get from the Cisco phone attempt, this is iteration "320" and it just continues to make attempts (i assume because it's UDP)? ================================================================================================================================================================== (320) Received Access-Request Id 17 from 192.168.11.62:34495 to 192.168.11.61:1812 length 288 (320) User-Name = "CP-7841-SEPF07816D1207E" (320) Called-Station-Id = "f8-b1-56-6f-15-d6" (320) Calling-Station-Id = "f0:78:16:d1:20:7e" (320) NAS-Identifier = "f8-b1-56-6f-15-d4" (320) NAS-IP-Address = 192.168.11.62 (320) NAS-Port = 112 (320) Framed-MTU = 1500 (320) NAS-Port-Type = Ethernet (320) State = 0x7d8fc9d87d2bc4167bd29e25682eecf2 (320) EAP-Message = 0x02a4007c0d8000000072160301006d0100006903035c452fa402c853860cd34fcff40565ec53ec45be8cf56a5ed4643fefd588dc6300000ac030c02f0035002f00ff01000036000b000403000102000a000a00080019001800170013000d001c001a000004010501060103010201010102020403050306 (320) Message-Authenticator = 0x0162446871ec20dd4a2638fd7278064c (320) session-state: No cached attributes (320) # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default (320) authorize { (320) policy filter_username { (320) if (!&User-Name) { (320) if (!&User-Name) -> FALSE (320) if (&User-Name =~ / /) { (320) if (&User-Name =~ / /) -> FALSE (320) if (&User-Name =~ /@.*@/ ) { (320) if (&User-Name =~ /@.*@/ ) -> FALSE (320) if (&User-Name =~ /\\.\\./ ) { (320) if (&User-Name =~ /\\.\\./ ) -> FALSE (320) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (320) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (320) if (&User-Name =~ /\\.$/) { (320) if (&User-Name =~ /\\.$/) -> FALSE (320) if (&User-Name =~ /@\\./) { (320) if (&User-Name =~ /@\\./) -> FALSE (320) } # policy filter_username = notfound (320) [preprocess] = ok (320) [digest] = noop (320) suffix: Checking for suffix after "@" (320) suffix: No '@' in User-Name = "CP-7841-SEPF07816D1207E", looking up realm NULL (320) suffix: No such realm "NULL" (320) [suffix] = noop (320) eap: Peer sent EAP Response (code 2) ID 164 length 124 (320) eap: No EAP Start, assuming it's an on-going EAP conversation (320) [eap] = updated (320) [files] = noop (320) [expiration] = noop (320) [logintime] = noop (320) [pap] = noop (320) } # authorize = updated (320) Found Auth-Type = eap (320) # Executing group from file /usr/local/freeradius/etc/raddb/sites-enabled/default (320) authenticate { (320) eap: Expiring EAP session with state 0x59e62fe75ae3223b (320) eap: Finished EAP session with state 0x7d8fc9d87d2bc416 (320) eap: Previous EAP request found for state 0x7d8fc9d87d2bc416, released from the list (320) eap: Peer sent packet with method EAP TLS (13) (320) eap: Calling submodule eap_tls to process data (320) eap_tls: Continuing EAP-TLS (320) eap_tls: Peer indicated complete TLS record size will be 114 bytes (320) eap_tls: Got complete TLS record (114 bytes) (320) eap_tls: [eaptls verify] = length included (320) eap_tls: (other): before/accept initialization (320) eap_tls: TLS_accept: before/accept initialization (320) eap_tls: <<< recv TLS 1.2 [length 006d] (320) eap_tls: TLS_accept: SSLv3 read client hello A (320) eap_tls: >>> send TLS 1.2 [length 0059] (320) eap_tls: TLS_accept: SSLv3 write server hello A (320) eap_tls: >>> send TLS 1.2 [length 0816] (320) eap_tls: TLS_accept: SSLv3 write certificate A (320) eap_tls: >>> send TLS 1.2 [length 014d] (320) eap_tls: TLS_accept: SSLv3 write key exchange A (320) eap_tls: >>> send TLS 1.2 [length 0073] (320) eap_tls: TLS_accept: SSLv3 write certificate request A (320) eap_tls: TLS_accept: SSLv3 flush data (320) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (320) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (320) eap_tls: In SSL Handshake Phase (320) eap_tls: In SSL Accept mode (320) eap_tls: [eaptls process] = handled (320) eap: Sending EAP Request (code 1) ID 165 length 1004 (320) eap: EAP session adding &reply:State = 0x7d8fc9d87c2ac416 (320) [eap] = handled (320) } # authenticate = handled (320) Using Post-Auth-Type Challenge (320) Post-Auth-Type sub-section not found. Ignoring. (320) # Executing group from file /usr/local/freeradius/etc/raddb/sites-enabled/default (320) Sent Access-Challenge Id 17 from 192.168.11.61:1812 to 192.168.11.62:34495 length 0 (320) EAP-Message = 0x01a503ec0dc000000a43160303005902000055030357478e00dd7b5997bbb83b60ba5536c72cc6bf4cc099ed8246b5d6ba09b8eb30206df24a0f79a02af8687ebf21332b9e9a3fbf6b849f47f5a008b1eac24bd4d481c03000000dff01000100000b00040300010216030308160b00081200080f000452 (320) Message-Authenticator = 0x00000000000000000000000000000000 (320) State = 0x7d8fc9d87c2ac4167bd29e25682eecf2 (320) Finished request (320) Cleaning up request packet ID 17 with timestamp +435 ================================================================================================================================================================== cheers Craig