So yesterday after complicating my configuration I decided to completely start over. I rebuilt the server and got everything work up to the EAP-TLS. While it is clear that it says no "known good" password found, I was able to auth to LDAP prior to turning on EAP-TLS. So I suspect there is something else that I am missing. I am using the certificates that came w/ FreeRADIUS in the /etc/raddb/certs/ folder. I will be generating my own or applying ones from FreeIPA once I get this working. I followed this: http://deployingradius.com/documents/configuration/eap.html https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration Here is the output from debug: (2) control:Auth-Type := LDAP (2) } # update = noop (2) } # if ((ok || updated) && User-Password) = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = LDAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (6) (2) ldap: Login attempt by "andrew.meyer" (2) ldap: Using user DN from request "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" (2) ldap: Waiting for bind result... (2) ldap: Bind successful (2) ldap: Bind as user "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" was successful rlm_ldap (ldap): Released connection (6) (2) [ldap] = ok (2) } # Auth-Type LDAP = ok (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = noop (2) Sent Access-Accept Id 16 from 10.150.10.45:1812 to 10.150.1.250:53618 length 0 (2) Finished request Waking up in 1.0 seconds. (1) Cleaning up request packet ID 15 with timestamp +68 Waking up in 3.9 seconds. (2) Cleaning up request packet ID 16 with timestamp +72 Ready to process requests