Hi there, Newbie here, so please be gentle :) I've been setting up a FreeRADIUS server for a client, so they can (finally!) break away from AD/NPS-based RADIUS (ugh) for company WiFi. I have SCEP certificates pushed out to all machines, and I have iPhones connecting perfectly (transparent connection to test SSID with successful RADIUS validation). But I am banging my head against the wall with Windows 10 devices... Certificates valid (from the same source, same profile), CA configured correctly, it _should_ be working (as iOS can connect), but freeradius -X gives me this: ... (42) eap_tls: ocsp: Cert status: good (42) eap_tls: ocsp: Certificate is valid (42) eap_tls: TLS_accept: SSLv3/TLS read client certificate (42) eap_tls: <<< recv TLS 1.2 [length 0066] (42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (42) eap_tls: <<< recv TLS 1.2 [length 0108] (42) eap_tls: >>> send TLS 1.2 [length 0002] (42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error (42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read) (42) eap_tls: ERROR: error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid (42) eap_tls: ERROR: error:1417B07B:SSL routines:tls_process_cert_verify:bad signature (42) eap_tls: ERROR: System call (I/O) error (-1) (42) eap_tls: ERROR: TLS receive handshake failed during operation (42) eap_tls: ERROR: [eaptls process] = fail (42) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (42) eap: Sending EAP Failure (code 4) ID 187 length 4 ... Sadly I can't work out _which_ signature it's having a problem with - openssl verify is fine with the certificate and CA. The correct certificate is being sent (I can see that elsewhere in the output), EKU is all good. Any pointers would be really appreciated - I'm not sure at the moment whether to continue squinting at FreeRADIUS config, Windows config, SCEP certificate properties, or what! FreeRADIUS 3.0.21 OpenSSL 1.1.1 Windows fully updated I have different CAs for FreeRADIUS (Let's Encrypt) and SCEP (self-signed), but I understand this is fine, and as I mentioned it works for iOS. Has anyone seen this before? I've hunted all over the Internet, but nothing quite matches :( Thanks in advance. -- Peter Bance Information Security Adviser