Problem with EAP PEAP Authentication on freeradius 3.22

Gleb Lisikh in4bit.general at
Thu Apr 23 22:04:21 CEST 2020

Thanks Alan!

For the end system OS, I have no idea...  Meraki web-based dashboard has a
built-in test tool to validate RADIUS configuration. This is what I used to
check my setup so far, and haven't tried any "real" client
*Is there any way to see from the RADIUS server side what client is
doing/sending wrong/incorrectly?*

Meraki does have a set of instructions on how to configure freeRADIUS to
work with Meraki EAP-TLS authentication, but those seem to be dated as I
could not even find ./etc/freeradius/eap.conf  file that they suggest to

*Perhaps you can help me to translate those instructions into 3.022 version
terms and files to edit?*

*And lastly, is there anything that had to be done in principle to enable
EAP-TLS on the server irrespective of the client behaviour?*

Thanks a lot again!


On Thu, Apr 23, 2020 at 9:48 AM Alan DeKok <aland at>

> On Apr 22, 2020, at 11:27 PM, Gleb Lisikh <in4bit.general at>
> wrote:
> >
> > Hello world!
> >
> > Trying to enable EPA2 Enterprise authentication for a Cisco Meraki  AP.
>   What end-user system are you using?  Windows?  Linux?
>   The AP just copies EAP packets between the end-user system and the
> RADIUS server.  The AP doesn't have anything to do with the EAP methods.
> > tls: TLS_accept: Error in SSLv2/v3 read client hello A
> > (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:140760FC:SSL
> > routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>   This is a magically unhelpful error from OpenSSL.  There are many reason
> why it could happen.  All of these reasons are related to TLS negotiation
> and/or certificate issues.
> > Any idea where I may need to start troubleshooting? I haven't touched
> > Authentication at all from its original. Authorization is done through
> > python3 and seems to be working just fine.
> > By the way, exactly the same error occurs on a different freeradius
> server
> > running 3.021
>   Then the issue is the end-user system.
>   You can't debug an end-user system by looking at the RADIUS server.
> It's looking in entirely the wrong place.  The RADIUS server is just
> telling you what the error is.  The RADIUS server isn't *creating* the
> error.
>   Alan DeKok.

More information about the Freeradius-Users mailing list