(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Michel Verhagen mike at guruce.com
Tue Jun 15 04:41:54 CEST 2021

Hi Alan,

I finally managed to get back to this project. I have now built the 
FreeRadius 3.0.x branch straight from Git. The server reports:

FreeRADIUS Version 3.0.24

When I try to authenticate using TLS (using the certificate ca.pem 
created using ./bootstrap), the FreeRadius server outputs this:

(9) Found Auth-Type = eap
(9) # Executing group from file
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xde98ecf7dd9de19b
(9) eap: Finished EAP session with state 0xde98ecf7dd9de19b
(9) eap: Previous EAP request found for state 0xde98ecf7dd9de19b,
released from the list
(9) eap: Peer sent packet with method EAP TLS (13)
(9) eap: Calling submodule eap_tls to process data
(9) eap_tls: (TLS) EAP Done initial handshake
(9) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(9) eap_tls: (TLS) send TLS 1.2 Alert, fatal unexpected_message
(9) eap_tls: ERROR: (TLS) Alert write:fatal:unexpected_message
(9) eap_tls: ERROR: (TLS) Server : Error in error
(9) eap_tls: ERROR: (TLS) Failed reading from OpenSSL:
routines:ossl_statem_server_read_transition:unexpected message
(9) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(9) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(9) eap_tls: ERROR: [eaptls process] = fail
(9) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
sub-module failed
(9) eap: Sending EAP Failure (code 4) ID 5 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject

Do you have any pointers where to look next?



On 16/04/2021 11:13, Alan DeKok wrote:


Michel Verhagen
Microsoft eMVP

  GuruCE Limited
  Microsoft Embedded Partner
  NXP Gold Partner
  240 Ohiwa Harbour Road
  Opotiki, 3198
  New Zealand
  Ph.  +64 (0)7  929 5807
  Mob. +64 (0)21 104 6208

  CONFIDENTIALITY NOTICE: The information contained in this message and attachments, if any, is confidential and is
  intended solely for the use of the individual or entity to whom it is addressed. You should not copy, disclose or
  distribute this communication without the authority of GuruCE Ltd. GuruCE Ltd. is neither liable for the proper and
  complete transmission of the information contained in this communication nor for any delay in its receipt. GuruCE Ltd.
  does not guarantee that the integrity of this communication has been maintained nor that the communication is free of
  viruses, interceptions or interference. If you are not the intended recipient of this communication please return the
  communication to the sender and delete and destroy all copies. If you are not the intended recipient, you are hereby
  notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

> On Apr 15, 2021, at 6:39 PM, Michel Verhagen <mike at guruce.com> wrote:
>>> You have to get it from Github, and build it yourself.
>> As I said; I am a n00b when it comes to Linux. Are there any 
>> instructions somewhere I can follow on how to do this on FreeBSD?
> The server comes with instructions on how to build it. There are more 
> instructions on the Wiki. Typically the process is:
> ./configure
> make
> make install
> It would be likely worth your while to build a version first using the 
> FreeBSD package system. That will install many of the dependencies 
> needed by the server.
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/devel.html

More information about the Freeradius-Devel mailing list