I'm trying to setup an EAP-TLS network with freeradius-server-2.2.5. I am using the example simple configuration with the username bob, password hello, and the sample server/client certificates that were generated in /usr/local/etc/raddb/certs. Authentication is failing with the following output: rad_recv: Access-Request packet from host 127.0.0.1 port 35906, id=101, length=188 User-Name = "bob" Called-Station-Id = "00-1A-EF-41-E2-2E:UBUNTU-TABOR" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "34-23-87-00-14-3F" Connect-Info = "CONNECT 11Mbps 802.11b" Acct-Session-Id = "544EC2A6-00000015" Framed-MTU = 1400 EAP-Message = 0x0250000d0d001503010002022a State = 0x45e158e041b155dbff559d4ce378d770 Message-Authenticator = 0xd1b7786e651558d6c517f695892a9827 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 80 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry bob at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Just to clarify: does this mean that freeradius didn't like the certificate that the client sent? Thank you, Tabor