Hi What am I missing to get EAP working both radius server and clients having ECC (P521) keys ? Running freeradius in the foreground shows me this: (8) eap_tls: (TLS) EAP Peer says that the final record size will be 378 bytes (8) eap_tls: (TLS) EAP Got all data (378 bytes) (8) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 read client hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, ServerHello (8) eap_tls: (TLS) Handshake state - Server SSLv3 write server hello A (8) eap_tls: (TLS) send TLS 1.3 Handshake, type=8 (8) eap_tls: (TLS) send TLS 1.3 Handshake, CertificateRequest (8) eap_tls: (TLS) Handshake state - Server SSLv3 write certificate request A (8) eap_tls: (TLS) send TLS 1.3 Alert, fatal handshake_failure (8) eap_tls: ERROR: (TLS) Server : Error in SSLv3 write certificate A (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL (8) eap_tls: ERROR: (TLS) error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type (8) eap_tls: ERROR: (TLS) error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate (8) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (8) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation "missing rsa certificate" is the bit that jumps out at me. My /etc/raddb/mods-available/eap file looks like the following: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = THIS_HAS_BEEN_REMOVED_TO_PROTECT_THE_INNOCENT private_key_file = /etc/foobar/wifi/cert-out.key certificate_file = /etc/foobar/wifi/cert-out.crt ca_file = /etc/foobar/wifi/ca-chain.pem dh_file = /etc/foobar/wifi/dh.pem ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.3" ecdh_curve = "secp521r1" cache { enable = no store { Tunnel-Private-Group-Id } } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } }