EAP/TLS TLS_accept error Hi: I want to build a IEEE 802.1x authentication environoment and I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8, wpa_supplicant-0.4.8. The authentication server is built in redhat9 , the database is mysql5 and client is build in linux. I can use EAP/MD5 authentication type and it runs well. When I config EAP/TLS-MD5 type, the client cann't be authenticated. I have referenced many similar ways to resolve it, but I am failed. I list my configuration files and the debug information below. Who can give me some suggestion, Thank your very much for your help ! A. IN FREERADIUS: 1. Using CA.all to generate certificats: /CA.all Get those new files: cert-clt.der cert-clt.p12 cert-clt.pem cert-srv.p12 cert-srv.pem newcert.pem newreq.pem root.der root.p12 root.pem The default protect password is whaterver 2. Generate Diffie-Hellman key named dh and random key named random openssl dhparam -check -text -5 512 -out dh dd if=/dev/urandom of=random count=2 3. eap.conf default_eap_type = tls tls { private_key_password = whatever private_key_file = /etc/mycerts/cert-srv.pem certificate_file = /etc/mycerts/cert-srv.pem CA_file = /etc/mycerts/root.pem dh_file = /etc/mycerts/dh random_file = /etc/mycerts/random fragment_size = 1024 include_length = yes } 4. radius.conf authorize { preprocess suffix eap files sql } authenticate { eap } 5. users DEFAULT Auth-Type = EAP Fall-Through = 1 6. part of debug information modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0822], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0071], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A 6533:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 6533:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails B. IN HOSTAPD 1. some debug information RADIUS packet matching with station 00:13:d7:20:00:90 IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state FAIL IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:90 (identifier 4) IEEE 802.1X: 00:13:d7:20:00:90 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:13:d7:20:00:90 AUTH_PAE entering state HELD br0: STA 00:13:d7:20:00:90 IEEE 802.1X: authentication failed IEEE 802.1X: 00:13:d7:20:00:90 BE_AUTH entering state IDLE C. IN WPA_SUPPLICANT 1. wired.conf # IEEE 802.1X with EAP-TLS ctrl_interface=/var/run/wpa_supplicant ap_scan=0 eapol_version=1 network={ ssid="" key_mgmt=IEEE8021X eap=TLS identity="test" ca_cert="/root/root.pem" client_cert="/root/cert-clt.pem" private_key="/root/cert-clt.pem" private_key_passwd="whatever" eapol_flags=0 priority=2 } 2. some debug information SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 9 (certificate is not yet valid) depth 1 SSL: (where=0x4008 ret=0x22a) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error