Hi, I have a FR setup working fine for wireless clients with either EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated by winbind/AD). I'm trying to expand on that and have wired clients authenticate via 802.1X with EAP-TLS (computer certificate). In my test I'm using the same Windows client that properly authenticates wirelessly with EAP-TLS. I configured its wired interface to use 802.1X with the same local certificate. The FR log indeed shows a "Received Access-Request" which is identical to what I see when it connects wirelessly, except of course for the calling station's MAC addr. The request log also finishes in a similar way with: (38) Found Auth-Type = eap (38) # Executing group from file /etc/raddb/sites-enabled/default (38) authenticate { (38) eap: Peer sent packet with method EAP Identity (1) (38) eap: Calling submodule eap_tls to process data (38) eap_tls: Initiating new TLS session (38) eap_tls: Setting verify mode to require certificate from client (38) eap_tls: [eaptls start] = request (38) eap: Sending EAP Request (code 1) ID 3 length 6 (38) eap: EAP session adding &reply:State = 0x5bf4e1345bf7eccc (38) [eap] = handled (38) } # authenticate = handled (38) Using Post-Auth-Type Challenge (38) # Executing group from file /etc/raddb/sites-enabled/default (38) Challenge { ... } # empty sub-section is ignored (38) Sent Access-Challenge Id 6 from 10.215.144.91:1812 to 10.215.110.190:49154 length 0 (38) EAP-Message = 0x010300060d20 (38) Message-Authenticator = 0x00000000000000000000000000000000 (38) State = 0x5bf4e1345bf7eccc1b644b2a242dee88 (38) Finished request However, FR keeps receiving "Access-Request" messages from the same station without the "State" field. So, could it be that the client is not responding properly (or ignoring/denying) FR's "Access-Challenge"? What should I be looking for and where (I suspect it's all on the client, but I'd like to make sure I don't need to do anything else in FR)? Would it be useful if I posted the full "Access-Request" log? If so, one would be enough if subsequent request messages are the same, I guess (except for msg ID of course). Regards, Vieri