I've strange problem with freeradius. It was working as expected and suddenly stopped authenticate wpa2-eap users to active directory. I've recreated whole VM with freeradius server without success. Same credentials work for ikev2 mschapv2 authentication but not for wireless wpa2-eap (android and windows clients). Am I missing something? Below debug log with error: (9) eap: Expiring EAP session with state 0x977b062a947f1f7c (9) eap: Finished EAP session with state 0x977b062a947f1f7c (9) eap: Previous EAP request found for state 0x977b062a947f1f7c, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: Peer indicated complete TLS record size will be 7 bytes (9) eap_peap: Got complete TLS record (7 bytes) (9) eap_peap: [eaptls verify] = length included (9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:internal error (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error (9) eap_peap: TLS - In Handshake Phase (9) eap_peap: TLS - Application data. (9) eap_peap: ERROR: TLS failed during operation (9) eap_peap: ERROR: [eaptls process] = fail (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 4 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> some_domain\\some_user (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated