Help with non-compliant client (TLS issue)

Geoffrey McRae geoff at
Wed May 17 08:16:09 CEST 2017


I am trying to use an ESP8266 to connect to a network using freeradius,
I have confirmed that the fault is not due to freeradius but since the
code in the SDK for the device is closed, I am limited in what I can do
to resolve the problem.

The server is configured and is working fine with EAP-PEAP using
MSCHAPv2 auth, which the device is supposed to support. Other devices
and eapol_test confirm that the radius server is setup correctly.

When the device attempts to authenticate the following in the freeradius
debug output is observed.

[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate
    TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.

My assumption is that the device is erroneously trying to tell the
server that it is providing a client certificate, which it obviously is
not, but I do not know enough about TLS to verify this and would love
some feedback if anyone is a guru in this area.

Even if I provide a client certificate the above error still occurs,
clearly the fault is in the binary blob that Espressif provides.

Kind Regards,
Geoffrey McRae

Server Management & Monitoring
P: +61 2 9037 0321

More information about the Freeradius-Users mailing list