I've tried repeatedly to explain, so I'm not sure what isn't getting across. It's NEGOTIATION. That means BOTH SIDES HAVE TO AGREE ON THE CIPHERS.
I know, and understand. I am reading your replies, and they are most helpful. I am asking follow up questions because although everything you are saying makes sense, I haven't been able to get it working. I am using an out the box freeradius 3.2.3 config with modified tls and eap sections as per my original post. I thought you said openssl handles all the TLS comms, therefore apart from setting the path to my certs, what else can I do in freeradius config to help? Therefore the comments and documentation don't help me solve this because I've not set anything that would cause this. I am using an out the box ubuntu installation and openssl library with no cipher restrictions set either side. When I start a server using: ------ openssl s_server -key /usr/local/etc/raddb/certs/my_key.key -cert /usr/local/etc/raddb/certs/my_key.crt -chainCAfile /usr/local/etc/raddb/certs/my_key.ca -accept 2083 -www ------ the same client can successfully establish a connection, but that fails when the freeradius daemon is running using the same key/cert/ca This is why I am bouncing messages back and forth, not because I'm questioning your advice. Please don't take it that I'm not listening.