Help Required: Encountering AEADBadTagException ("Tag mismatch!") with FreeRADIUS Integration

Alan DeKok aland at deployingradius.com
Tue Jul 22 07:46:41 UTC 2025


On Jul 21, 2025, at 2:19 PM, Kalyani Borkar <kalyaniborkar2205 at gmail.com> wrote:
> I'm currently working on integrating FreeRADIUS with a Java-based
> authentication system, and I'm running into an issue related to TLS
> decryption during the EAP-TTLS handshake.
> 
> Specifically, I'm seeing the following exception on the server side:
> 
> javax.crypto.AEADBadTagException: Tag mismatch!

  To a large extent, that's an issue with the local code.  i.e. the Java code which isn't FreeRADIUS.

> From my understanding, this typically indicates a problem with key mismatch
> or incorrect handling of encrypted TLS data, possibly during the decryption
> of the ClientKeyExchange or in the derivation of the pre-master/master
> secrets.

  Quite possibly.

> Would you be able to guide me on what might be causing this or how I can
> debug it further within the FreeRADIUS or TLS stack? I’d greatly appreciate
> any pointers or direction, even if it's just confirming what part of the
> handshake to focus on.

  I would suggest running the same test with eapol_test.  That's a supplicant which implements EAP-TTLS.  You can follow the code and packet flow there.  Then, compare it to your tool.

 But ultimately this is a TLS issue on your system, and Java, and on custom code that we didn't write.  So we can only give very vague advice here.

  Alan DeKok.



More information about the Freeradius-Devel mailing list