[Not sure where to report this. So please advise, if there's a more suitable place.] Dear all, When upgrading our running freeradius-2.2 configuration for EAP-TTLS to freeradius-3.0 we followed the guide from http://freeradius.org/version3.html and almost everything was running in our test environment except one point already discussed similarly: http://lists.freeradius.org/pipermail/freeradius-users/2015-March/076365.htm... We had the same problem with our wpa_supplicant and Oddyssey clients: The very last ACK from the client was not well recognized by freeradius-3 with the same DEBUG message, also see (partly obfuscated radius.debug.txt): Login incorrect (eap_ttls: Invalid ACK received: 0) Encouraged from the thread follow-up http://lists.freeradius.org/pipermail/freeradius-users/2015-May/077614.html we checked the values returned to the method tls_ack_handler() in src/main/tls.c : In fact we found for the last ACK: ssn->info.content_type == 0 (instead of handshake == 22) ssn->info.handshake_type == handshake_finished (expected 20) ssn->dirty_out.used == 0 In order to make it work, we patched freeradius-3 like this (also see attachments tls.c.patch and tls.c.original): $ diff tls.c.patch tls.c.original 3130,3134d3129 < /* patch needed for many versions of TTLS clients, compare http://lists.freeradius.org/pipermail/freeradius-users/2015-May/077614.html */ < if ((ssn->info.handshake_type == handshake_finished) && (ssn->dirty_out.used == 0)) { < ssn->info.content_type = handshake; < } < HTH -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de Tel. +49 - 40 - 244 2407 - 14 Fax +49 - 40 - 244 2407 - 24 PRESENSE Technologies GmbH Sachsenstr. 5, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024