Hi. I'm trying to set up EAP-TLS with certificates with an Android Pixel 7 Pro, latest OS, via a Unifi U6 Pro, using FreeRadius 3.0.17 on a raspberry pi 4. I took the default config, and changed as little as possible: clients.conf, added: client wifi_aps { ipaddr = 192.168.123.0/24 secret = radiuspasswordhere } In case it would help, I also added a user. PEAP auth with username/password works. wifi Cleartext-Password := "XXXXXXX" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "13", Reply-Message = "Hello there!" Made the certificates by editing the .cnf files and doing "make ca.pem", "make server.pem", and "make client.pem". I loaded the .p12 on the Android phone, and changed the paths in mod-enabled/eap. I changed default_eap_type to tls, and added use_tunneled_reply to tls-config. Here's a selection of the output of freeradius -X: First access request in packet 1: (1) Received Access-Request Id 61 from 192.168.XX.Z:59545 to 192.168.XX.Y:1812 length 216 SSL handshake done by packet 8: (8) eap_tls: SSL Connection Established (with client cert details shown) After that there's just a bunch of apparently empty-ish repeating Access-Request/Access-Challenge[1], and it's stuck that way until: (52) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made in session with state 0x8e36e001bc25ed47 What am I doing wrong? In this example I'm putting "wifi" as identity, in case it helps that it's present in the user config. I expect that at some point the server should reply Accepted, instead of a new challenge. I guess the client cert was not enough auth? Is there a config I need to change so that cert is sufficient? I'd appreciate any help. Thanks. [1] (14) Received Access-Request Id 74 from 192.168.XX.Z:59545 to 192.168.XX.Y:1812 length 231 (14) User-Name = "wifi" (14) NAS-IP-Address = 192.168.XX.Z (14) NAS-Identifier = "xxx" (14) Called-Station-Id = "xx-xx-xx-xx-xx-xx:secnet2" (14) NAS-Port-Type = Wireless-802.11 (14) Service-Type = Framed-User (14) Calling-Station-Id = "xx-xx-xx-xx-xx-xx" (14) Connect-Info = "CONNECT 0Mbps 802.11b" (14) Acct-Session-Id = "3E1F2B0282D15C98" (14) Acct-Multi-Session-Id = "3870EEE1F7155662" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Framed-MTU = 1400 (14) EAP-Message = 0x02ed00060d00 (14) State = 0x8e36e00182dbed476556c84932fcf3de (14) Message-Authenticator = 0x03a0ae965bd12781a50f91cd3ac1aaf6 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "wifi", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 237 length 6 (14) eap: No EAP Start, assuming it's an on-going EAP conversation (14) [eap] = updated (14) files: users: Matched entry wifi at line 90 (14) [files] = ok (14) [expiration] = noop (14) [logintime] = noop (14) pap: WARNING: Auth-Type already set. Not setting to PAP (14) [pap] = noop (14) } # authorize = updated (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x8e36e00182dbed47 (14) eap: Finished EAP session with state 0x8e36e00182dbed47 (14) eap: Previous EAP request found for state 0x8e36e00182dbed47, released from the list (14) eap: Peer sent packet with method EAP TLS (13) (14) eap: Calling submodule eap_tls to process data (14) eap_tls: Continuing EAP-TLS (14) eap_tls: Peer ACKed our handshake fragment (14) eap_tls: [eaptls verify] = request (14) eap_tls: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 238 length 10 (14) eap: EAP session adding &reply:State = 0x8e36e00183d8ed47 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 74 from 192.168.XX.Y:1812 to 192.168.XX.Z:59545 length 0 (14) Tunnel-Type = VLAN (14) Tunnel-Medium-Type = IEEE-802 (14) Tunnel-Private-Group-Id = "13" (14) Reply-Message = "Hello there!" (14) EAP-Message = 0x01ee000a0d8000000000 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x8e36e00183d8ed476556c84932fcf3de (14) Finished request -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas@habets.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t;