Following recommendations I’m starting by EAP-TLS config first. I have two question. First, it seams that, in my understanding, the configuration key ca_file in mods-enabled/eap (Ubuntu) is both use for as anchor for the radius server certificate defined in certificate_file and as trusted authority for client authentication. Is there a way to use a different set here? My goal would be to use for the radius server a certificate from Let’s Encrypt, as any exposed Internet service (and to ease the server provisioning), and for the client authentication, my internal PKI. Is that doable? Or should I use only certificates from my PKI here? Then, I’m having some basic EAP-TLS setup that ends with the server side sending an Access-Challenge and now answer from the client. Network stack is UniFi network with a macOS client connected to the WiFi. Any recommendations for the troubleshooting steps needed when Access-Challenge is not answered? Here is the debug log (0) Received Access-Request Id 0 from <my_public_ip>:55641 to 172.31.4.143:1812 length 224 (0) User-Name = "y" (0) NAS-IP-Address = 172.16.128.187 (0) NAS-Identifier = "6ad79a4ae1df" (0) Called-Station-Id = "6A-D7-9A-4A-E1-DF:Test" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "8A-6C-88-1D-26-16" (0) Connect-Info = "CONNECT 0Mbps 802.11a" (0) Acct-Session-Id = "E6820D4A4AE32164" (0) Acct-Multi-Session-Id = "B340C339DFD7F4B8" (0) Mobility-Domain-Id = 45825 (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027075 (0) Filter-Id = "wpa-eap" (0) Framed-MTU = 1002 (0) EAP-Message = 0x020100060179 (0) Message-Authenticator = 0x2dc1e95d3c1a904277374839acf24474 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/<my_public_ip>/auth-detail-20250420 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/<my_public_ip>/auth-detail-20250420 (0) auth_log: EXPAND %t (0) auth_log: --> Sun Apr 20 16:52:55 2025 (0) [auth_log] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "y", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 6 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: EXPAND %{Calling-Station-Id} (0) eap: --> 8A-6C-88-1D-26-16 (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) TLS -Initiating new session (0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 2 length 10 (0) eap: EAP session adding &reply:State = 0xbf9ac2b0bf98cffa (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type Challenge { (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) attr_filter.access_challenge: EXPAND %{User-Name} (0) attr_filter.access_challenge: --> y (0) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (0) [attr_filter.access_challenge.post-auth] = updated (0) } # Post-Auth-Type Challenge = updated (0) session-state: Saving cached attributes (0) Framed-MTU = 1002 (0) Sent Access-Challenge Id 0 from 172.31.4.143:1812 to <my_public_ip>:55641 length 68 (0) EAP-Message = 0x0102000a0da000000000 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xbf9ac2b0bf98cffac710c0c9c10466bb (0) Finished request Waking up in 4.9 seconds.