Help Required: Encountering AEADBadTagException ("Tag mismatch!") with FreeRADIUS Integration

Kalyani Borkar kalyaniborkar2205 at gmail.com
Mon Jul 21 12:19:19 UTC 2025


Hello FreeRadius Team

I hope you're doing well.

I'm currently working on integrating FreeRADIUS with a Java-based
authentication system, and I'm running into an issue related to TLS
decryption during the EAP-TTLS handshake.

Specifically, I'm seeing the following exception on the server side:

javax.crypto.AEADBadTagException: Tag mismatch!

>From my understanding, this typically indicates a problem with key mismatch
or incorrect handling of encrypted TLS data, possibly during the decryption
of the ClientKeyExchange or in the derivation of the pre-master/master
secrets.

I've double-checked the cipher suites and key derivation process, and I'm
using:

   -

   TLS version: TLS 1.2
   -

   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   -

   Key derivation uses ECDHE

Despite that, I’m still running into the above error, which blocks the
successful authentication flow.

Would you be able to guide me on what might be causing this or how I can
debug it further within the FreeRADIUS or TLS stack? I’d greatly appreciate
any pointers or direction, even if it's just confirming what part of the
handshake to focus on.

Thank you for your time and all the work you do for the FreeRADIUS project.

Best regards,
*Kalyani Borkar*
Email: kalyaniborkar2205 at gmail.com
GitHub: github.com/Kalyani-Borka <https://github.com/Kalyani-Borkar>r

[image: photo]

Senior Software Engineer

7776978417  |  kalyaniborkar2205 at gmail.com <kalyaniborkar.tech at gmail.com>


[image: __tpx__]


More information about the Freeradius-Devel mailing list