Hi, I'd like to ask a question regarding the direction of the exchanges in the radius log (radiusd -X). I used eapol_test as a client/authenticator against FreeRADIUS 3.0.21. - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a failure. In this case, "eap_tls: <<< recv TLS 1.3" looks like an exchange from FreeRADIUS to eapol_test (SERVER -> CLIENT): tls_min_version = "1.3" tls_max_version = "1.3" The FREERADIUS log shows: (2) eap_tls: <<< recv TLS 1.3 [length 00b9] (2) eap_tls: >>> send TLS 1.2 [length 0002] (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version - If I set the following parameters in the FreeRADIUS eap file, espol_test will results in a success. In this case, "eap_tls: <<< recv TLS 1.2" looks like an exchange from eapol_test to FreeRADIUS (CLIENT TO SERVER): tls_min_version = "1.2" tls_max_version = "1.3" (6) eap_tls: <<< recv TLS 1.2 [length 08de] (6) eap_tls: TLS - Creating attributes from certificate OIDs Could you please clarify the meaning of these "eap_tls: <<< recv" log messages? Thanks, Eric ------------------------------------------------------------------------------------------------------------------------------------------- FULL LOG tls_min_version = "1.3" tls_max_version = "1.3" (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: [eaptls verify] = ok (2) eap_tls: Done initial handshake (2) eap_tls: (other): before SSL initialization (2) eap_tls: TLS_accept: before SSL initialization (2) eap_tls: TLS_accept: before SSL initialization (2) eap_tls: <<< recv TLS 1.3 [length 00b9] (2) eap_tls: >>> send TLS 1.2 [length 0002] (2) eap_tls: ERROR: TLS Alert write:fatal:protocol version tls: TLS_accept: Error in error (2) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (2) eap_tls: ERROR: System call (I/O) error (-1) (2) eap_tls: ERROR: TLS receive handshake failed during operation (2) eap_tls: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 54 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid ------------------------------------------------------------------------------------------------------------------------------------------- tls_min_version = "1.2" tls_max_version = "1.3" (6) eap: Calling submodule eap_tls to process data (6) eap_tls: Continuing EAP-TLS (6) eap_tls: Got final TLS record fragment (1272 bytes) (6) eap_tls: [eaptls verify] = ok (6) eap_tls: Done initial handshake (6) eap_tls: TLS_accept: SSLv3/TLS write server done (6) eap_tls: <<< recv TLS 1.2 [length 08de] (6) eap_tls: TLS - Creating attributes from certificate OIDs (6) eap_tls: TLS-Cert-Serial := "315fa3c827cb5c44e13222c88ff80369d1a176f1" (6) eap_tls: TLS-Cert-Expiration := "210113170058Z" (6) eap_tls: TLS-Cert-Valid-Since := "201114170058Z" (6) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (6) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (6) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority" (6) eap_tls: TLS - Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "02" (6) eap_tls: TLS-Client-Cert-Expiration := "210113170058Z" (6) eap_tls: TLS-Client-Cert-Valid-Since := "201114170058Z" (6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org" (6) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=Example Certificate Authority" (6) eap_tls: TLS-Client-Cert-Common-Name := "user@example.org" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate (6) eap_tls: <<< recv TLS 1.2 [length 0046] (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_tls: <<< recv TLS 1.2 [length 0108] (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_tls: <<< recv TLS 1.2 [length 0010] (6) eap_tls: TLS_accept: SSLv3/TLS read finished (6) eap_tls: >>> send TLS 1.2 [length 0001] (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_tls: >>> send TLS 1.2 [length 0010] (6) eap_tls: TLS_accept: SSLv3/TLS write finished (6) eap_tls: (other): SSL negotiation finished successfully (6) eap_tls: TLS - Connection Established (6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_tls: TLS-Session-Version = "TLS 1.2" (6) eap_tls: TLS - got 51 bytes of data (6) eap_tls: [eaptls process] = handled