I had the same issue after updating Ubuntu from 18 to 20. This has something to do with the OpenSSL version. I fixed it by editing the eap module configuration: cipher_list = “DEFAULT@SECLEVEL=1” This forces OpenSSL to not use TLS1.3. IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199 E iolan@iolan.com • I http://www.iolan.com/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents here in and notify the sender immediately by return e-mail. -----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com@lists.freeradius.org] Namens De Sylvain Verzonden: vrijdag 16 april 2021 14:51 Aan: freeradius-users@lists.freeradius.org Onderwerp: TLS version mismatch EAP TLS Hello Team, I need to open a case cause I meet an issue with TLS version mismatch between client and server. My scope : - FreeRADIUS Version 3.0.20 - OpenSSL 1.1.1f - Windows client TLS version allowed : TLS1.0/1.1/1.2 Accros few link(show below) I understood that TLS 1.3 was not correctly supported on freeradius. I have the same issue like this post #3665 <https://github.com/FreeRADIUS/freeradius-server/issues/3665> However my window client is correctly configured and it do no use tls version 1.3. Furthermore i make a packet capture and i can see that TLS 1.0 is used during TLS client hello. As show bellow, eap module configuration. I do not use "disable_tls" but tls_min/max feature as recommended. "# disable_tlsv1_2 = no" "# disable_tlsv1_1 = no" "# disable_tlsv1 = no" tls_min_version = "1.0" tls_max_version = "1.2" Freeradius debug : I do not understand how freeradius server can interptrer the tls request with 1.3 version. Client side tls 1.3 is not allowed and also on freeradius side. How can I interpret this issue ? Thanks in advance for your help. Freeradius live debug (1) eap: Expiring EAP session with state 0xcf201259cf221f90 (1) eap: Finished EAP session with state 0xcf201259cf221f90 (1) eap: Previous EAP request found for state 0xcf201259cf221f90, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Peer indicated complete TLS record size will be 112 bytes (1) eap_tls: Got complete TLS record (112 bytes) (1) eap_tls: [eaptls verify] = length included (1) eap_tls: (other): before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: <<< recv TLS 1.3 [length 006b] (1) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version (1) eap_tls: ERROR: TLS Alert write:fatal:protocol version tls: TLS_accept: Error in error (1) eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (1) eap_tls: ERROR: System call (I/O) error (-1) (1) eap_tls: ERROR: TLS receive handshake failed during operation (1) eap_tls: ERROR: [eaptls process] = fail (1) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (1) eap: Sending EAP Failure (code 4) ID 2 length 4 (1) eap: Failed in EAP select (1) [eap] = invalid (1) } # authenticate = invalid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html