Hi Be really grateful for some assistance in this setup: 1. FreeRadius 3.0.16 running on Ubuntu 18.04 LTS 2. I have enabled EAP-TLS and have this working. The certificates (CA, Server, Client) have been created and imported from Microsoft CA server. 3. I have copied the CA certificate to /etc/freeradius/3.0/certs/root.pem and the server certificate / private key to /etc/freeradius/3.0/certs/radcert.pem 4. My eap module config looks like: tls-config tls-common { private_key_password = <password> private_key_file = /etc/freeradius/3.0/certs/radcert.pem certificate_file = /etc/freeradius/3.0/certs/radcert.pem ca_file = /etc/freeradius/3.0/certs/root.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" ocsp { enable = yes override_cert_url = yes". url = "http://<IP address>/ocsp<http://%3cIP%20address%3e/ocsp>" timeout = 0 } } Without OCSP enabled, everything works. I can authenticate from a Wireless Access Point using a client certificate and EAP-TLS. I have configured OCSP in my Microsoft PKI environment and confirmed it works using the inbuilt Microsoft tools and OCSP Responder. I can use the URL listed above "http://<IP address>/ocsp<http://%3cIP%20address%3e/ocsp>" to check the certificate validity outside of FreeRadius. When I enable OSCP on FreeRadius, I receive an error message on client authentication "Could not get issuer_cert". FreeRADIUS doesn't attempt to query the OCSP URL (confirmed by packet capture). I have run FreeRadius in debug mode, where I see the message. "BARRYE540.intrinsic-comms.co.uk" is the CN of the client side certificate. "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA. This is the certificate in the file /etc/freeradius/3.0/certs/root.pem This CA signed both my server certificate, and also the client certificate. (6) authenticate { (6) eap: Expiring EAP session with state 0xbe16c925bb1ec429 (6) eap: Finished EAP session with state 0xbe16c925bb1ec429 (6) eap: Previous EAP request found for state 0xbe16c925bb1ec429, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: Continuing EAP-TLS (6) eap_tls: Got final TLS record fragment (430 bytes) (6) eap_tls: [eaptls verify] = ok (6) eap_tls: Done initial handshake (6) eap_tls: TLS_accept: SSLv3/TLS write server done (6) eap_tls: <<< recv TLS 1.0 Handshake [length 05ec], Certificate (6) eap_tls: Creating attributes from certificate OIDs (6) eap_tls: TLS-Cert-Serial := "65af3f02a6ec65a44c0e7514e4264d26" (6) eap_tls: TLS-Cert-Expiration := "210606133907Z" (6) eap_tls: TLS-Cert-Subject := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: TLS-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: TLS-Cert-Common-Name := "intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "61ab3a63000000000024" (6) eap_tls: TLS-Client-Cert-Expiration := "210311124806Z" (6) eap_tls: TLS-Client-Cert-Subject := "/CN=BARRYE540.intrinsic-comms.co.uk" (6) eap_tls: TLS-Client-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: TLS-Client-Cert-Common-Name := "BARRYE540.intrinsic-comms.co.uk" (6) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "BARRYE540.intrinsic-comms.co.uk" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (6) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "92:B0:76:E0:FF:A4:21:CA:90:86:5D:ED:30:95:76:ED:1B:39:7C:3C" (6) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:6E:8C:54:CC:71:53:48:A7:7B:C7:56:CA:9F:BA:B2:00:D0:D0:B0:4D\n" (6) eap_tls: Starting OCSP Request (6) eap_tls: ERROR: Couldn't get issuer_cert for BARRYE540.intrinsic-comms.co.uk (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate (6) eap_tls: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_tls: <<< recv TLS 1.0 Handshake [length 0106], CertificateVerify (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_tls: <<< recv TLS 1.0 Handshake [length 0010], Finished (6) eap_tls: TLS_accept: SSLv3/TLS read finished (6) eap_tls: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_tls: >>> send TLS 1.0 Handshake [length 0010], Finished (6) eap_tls: TLS_accept: SSLv3/TLS write finished (6) eap_tls: (other): SSL negotiation finished successfully (6) eap_tls: SSL Connection Established (6) eap_tls: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 9 length 69 (6) eap: EAP session adding &reply:State = 0xbe16c925b81fc429 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 56 from 10.1.201.131:1812 to 10.1.200.5:1645 length 0 (6) EAP-Message = 0x010900450d800000003b14030100010116030100300d1b86144514486ac8365c982b727cc67cc948850c735a28a07e93f2 b24bf4b0858e5ac5677c48fbcb1293e30098f482 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xbe16c925b81fc4295f491b5eb49b13aa (6) Finished request If there are any other further debugs or outputs that would assist, please let me know. Thanks.