Hello, Sorry for the lack of information in my first message. I was also too much focused on that error being on the inner-tunnel side that I oversaw what the debug was telling me. I've been fiddling a bit with the configuration and understanding how it works a bit better. This problem I have reamins largely the same: a well-configured client (and by well I specially mean that it validates CA and CN) is offered (on purpose) a different certificate from what it expects. I expect the client to reject it, of course, but instead of hard-rejecting it I wish I could make it retry promptly (issue another Challenge?, some different EAP-Message in the Access-Reject?), or either offer it the server certificate it expects via another eap module configuration (eap_legit). I'm pasting the latest sites-enabled/default config and relevant debug excerp: server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess chap mschap suffix split_username_nai rewrite_calling_station_id ntdomain files if (!ok && request:Realm == 'NULL') { update reply { Reply-Message := 'Username should have domain' } reject } if (!ok && (&Realm == '<redacted>' || &Realm == '<redacted>')) { update control { Tmp-Integer-0 := "%{sql_rogue:SELECT COUNT(*) FROM ok_user_mac WHERE user_mac_id = (SELECT id FROM user_mac WHERE user = '%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}" Tmp-Integer-1 := "%{sql_rogue:SELECT COUNT(*) FROM ko_user_mac WHERE user_mac_id = (SELECT id FROM user_mac WHERE user = '%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}" } if (&control:Tmp-Integer-1 > 0) { reject } elsif (&State || &control:Tmp-Integer-0 == 0) { eap_rogue { ok = return } } else { eap_legit { ok = return } } } else { eap_legit { ok = return } } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap_legit Auth-Type eap_rogue { update control { Tmp-String-0 := 'TRY' } eap_rogue update control { Tmp-String-0 !* ANY } } } preacct { preprocess rewrite_calling_station_id acct_unique suffix files } accounting { detail log_sec_acct attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } remove_reply_message_if_eap Post-Auth-Type REJECT { attr_filter.access_reject eap_legit remove_reply_message_if_eap if (&control:Tmp-String-0 == 'TRY') { "%{sql_rogue:CALL to_ok_user_mac('%{User-Name}', '%{Calling-Station-Id}')}" update reply { EAP-Message := 0x04060004 <---- Trying with a poorly chosen EAP-Message } } } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap_legit } } --------------------- (4) Found Auth-Type = eap_rogue (4) # Executing group from file /usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default (4) Auth-Type eap_rogue { (4) update control { (4) Tmp-String-0 := 'TRY' (4) } # update control = noop (4) eap_rogue: Expiring EAP session with state 0x0c576b440f5272f5 (4) eap_rogue: Finished EAP session with state 0x0c576b440f5272f5 (4) eap_rogue: Previous EAP request found for state 0x0c576b440f5272f5, released from the list (4) eap_rogue: Peer sent packet with method EAP PEAP (25) (4) eap_rogue: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: ERROR: TLS_accept: Failed in unknown state (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) (4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (4) eap_peap: ERROR: System call (I/O) error (-1) (4) eap_peap: ERROR: TLS receive handshake failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap_rogue: Sending EAP Failure (code 4) ID 5 length 4 (4) eap_rogue: Failed in EAP select (4) [eap_rogue] = invalid (4) } # Auth-Type eap_rogue = invalid (4) Failed to authenticate the user (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8) (4) Using Post-Auth-Type Reject (4) # Executing group from file /usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> <redacted> (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap_legit] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) if (&control:Tmp-String-0 == 'TRY') { (4) if (&control:Tmp-String-0 == 'TRY') -> TRUE (4) if (&control:Tmp-String-0 == 'TRY') { rlm_sql (sql_edurogue): Reserved connection (4) (4) Executing select query: CALL to_ok_user_mac('<redacted>', 'A0-88-B4-2B-7F-E8') (4) SQL query returned no results rlm_sql (sql_edurogue): Released connection (4) (4) EXPAND %{sql_rogue:CALL to_ok_user_mac('%{User-Name}', '%{Calling-Station-Id}')} (4) --> (4) update reply { (4) EAP-Message := 0x04060004 (4) } # update reply = noop (4) } # if (&control:Tmp-String-0 == 'TRY') = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. I confess that EAP-Message is a mystery for me and I don't know yet what can it signal to the client. Thanks, Alberto