Help with EAP TLS authentication

Alan DeKok aland at
Tue Sep 20 21:03:16 CEST 2016

> On Sep 20, 2016, at 1:42 PM, Peter Truman <peter.truman+freeradius at> wrote:
> Hi there
> Trying to diagnose if I have a router OpenSSL issue, or a config issue
> (more likely).  I've generated a self signed CA which seems to be working,
> but my new Freeradius 3 (3.0.11) "default" compile doesn't seem to like
> something....
> Here is my radiusd -Xx dump:

  PLEASE follow instructions.  It's not hard.

  The FAQ, "man" pages, and web pages say to run with "radiusd -X".  We say that for a reason: additional debugging is not useful 99% of the time.  All it does is make the output harder to read.

  After some editing:

(2) Received Access-Request Id 0 from to length 292
(2)   User-Name = "pete at nexus5xp"
(2)   NAS-IP-Address =
(2)   Called-Station-Id = "305a3ac51d20"
(2)   Calling-Station-Id = "64bc0c4b27bf"
(2)   NAS-Identifier = "305a3ac51d20"
(2)   NAS-Port = 83
(2)   Framed-MTU = 1400
(2)   NAS-Port-Type = Wireless-802.11
(2)   EAP-Message =
(2)   Message-Authenticator =
(2) session-state: No State attribute

  The State attribute is missing.  It MUST exist for EAP to work.

  Your NAS is broken.  Throw it in the garbage and buy one that works.

  No amount of poking FreeRADIUS will make your NAS follow the specifications correctly.

  Throw the NAS in the garbage and buy one that works.

  Alan DeKok.

More information about the Freeradius-Users mailing list