Hi Mailing list, i installed freeradius on debian 9 for X802.1 authentication, which should replace an old freeradius server. For the new radius server, i generated a new CA for the client certificates and deployed the certificate on some clients. I also generated a certificate for the freeradius server (with the same CA): mods-enabled/eap: tls-config tls-common { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt dh_file = ${certdir}/dh ca_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" .. } When a client tries to authenticate, i get the following radius output: (7) auth_log: --> Mon Mar 23 15:42:14 2020 (7) [auth_log] = ok (7) if (!EAP-Message) { (7) if (!EAP-Message) -> FALSE (7) else { (7) eap: Peer sent EAP Response (code 2) ID 15 length 17 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163 (7) [files_x802_1_cert_auth] = ok (7) } # else = updated (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/outer-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x5b409518594a9812 (7) eap: Finished EAP session with state 0xfcae8891ffa18542 (7) eap: Previous EAP request found for state 0xfcae8891ffa18542, released from the list (7) eap: Peer sent packet with method EAP TLS (13) (7) eap: Calling submodule eap_tls to process data (7) eap_tls: Continuing EAP-TLS (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes (7) eap_tls: Got complete TLS record (7 bytes) (7) eap_tls: [eaptls verify] = length included (7) eap_tls: <<< recv TLS 1.2 [length 0002] (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done (7) eap_tls: ERROR: System call (I/O) error (-1) (7) eap_tls: ERROR: TLS receive handshake failed during operation (7) eap_tls: ERROR: [eaptls process] = fail (7) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed But, when i replace the ${certdir}/server.key and ${certdir}/server.crt with the server certificate from the old server, x802.1 authentication works (why??) Can someone help me? Thanks!