Well.. they shouldn't. And what's with not posting the debug log? Do you want to fix the problem or not?
This is what it looks like with ldap uncommented, i.e. EAP-TLS "broken" ..... in comparison, lower down you can see with LDAP commented again, it just gets on with the job of processing EAP-TLS. *** LDAP UNCOMMENTED***** rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=251, length=188 User-Name = "xyz_laptop_wifi" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXXXXXX" Calling-Station-Id = "60-03-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXXXXXXX Message-Authenticator = 0xXXXXXXXXX # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xyz_laptop_wifi", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for xyz_laptop_wifi [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> xyz_laptop_wifi [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=xyz_laptop_wifi) [ldap] expand: ou=dot1x,dc=mydomain,dc=eu -> ou=dot1x,dc=mydomain,dc=eu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=mydomain,dc=eu/XXXXXXXXXXXXXX to localhost:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> xyz_laptop_wifi attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=251, length=188 Waiting to send Access-Reject to client wifi2 port 32771 - ID: 251 Sending delayed reject for request 0 Sending Access-Reject of id 251 to 172.16.100.254 port 32771 Waking up in 4.9 seconds. Cleaning up request 0 ID 251 with timestamp +7 Ready to process requests. ***** LDAP COMMENTED**** rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=252, length=188 User-Name = "xyzlaptop_wifi" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXX" Calling-Station-Id = "60-03-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXX Message-Authenticator = 0xXXXX # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xyzlaptop_wifi", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 252 to 172.16.100.254 port 32771 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7940879679418a6863a4c65145317568 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=253, length=339 User-Name = "xyzlaptop_wifi" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXX" Calling-Station-Id = "60-03-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXXXX State = 0x7940879679418a6863a4c65145317568 Message-Authenticator = 0x827b75775f481e9f2b14b64f56443006 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xyzlaptop_wifi", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 152 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 142 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0089], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0d03], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00ec], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 253 to 172.16.100.254 port 32771 etc. etc. etc.