So the question is... why did the client reject the first auth, but then immediately re-try and accept the certificate the second time.
I'd look at the client and see if you can get logs off it (hard on Windows I know, have to enable eap tracing, it's a right pig to read compared to -X on the server side...) to see why it rejected the first time - if you can get anything from it. I'm assuming the TLS Server OID is in the cert because it works the second time, but worth checking anyway.
I just extracted your cert from the EAP-Message, and you've not got the TLS Server Auth OID (1.3.6.1.5.5.7.3.1) in it. On that basis, could you please explain to us all how the heck you managed to get it to work at all the second time... :-) Re-generate the server certificate according to http://wiki.freeradius.org/guide/Certificate_Compatibility (as the original message said) and you should be good. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>