Hi all, I got this: (4) eap_rogue: Peer sent packet with method EAP PEAP (25) (4) eap_rogue: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: ERROR: TLS_accept: Failed in unknown state (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) (4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (4) eap_peap: ERROR: System call (I/O) error (-1) (4) eap_peap: ERROR: TLS receive handshake failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap_rogue: Sending EAP Failure (code 4) ID 6 length 4 (4) eap_rogue: Failed in EAP select (4) [eap_rogue] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8) (4) Using Post-Auth-Type Reject (4) # Executing group from file /usr/local/freeradius-3.0.13/ etc/raddb/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> <redacted> (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap_legit] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 176 from 172.16.250.29:1812 to 192.168.250.242:56028 length 44 (4) EAP-Message = 0x04060004 (4) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. I want to make a SQL call whenever the EAP module fails in authorize. I have tried with a redundant block but the SQL call is not a module and was ignored. How can I intercept the reject action? And, even better: How can I access from unlang to the "TLS Alert read:fatal:unknown CA" string? Thanks!