EAP-TTLS with Windows 10 issue

[André]

Hello, has anyone had issues connecting windows eap-ttls to freeradius ,
all seems to go well but after challenge is sent to windows 10 , nothing
more happens connection is ended and windows only says can't connect, I'm
using a valid certificate from let's encrypt and have added let's encrypt
authority to windows 10.

Any suggestions?

More details:
freeradius -v (also tested with 3.0.21)
radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built on
Apr 22 2019 at 21:23:36
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

WLC 802.1X WPA2-Enterprise
Software Version 8.5.135.0
Cisco 2504 WLC

Client Windows 10 - Fails
EAP-TTLS No encrypted password

Linux Client ubuntu 20.x - Works correctly

freeradius -X -xx
Using a let's encrypt certificate.

Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge: EXPAND
%{User-Name}
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge: -->
fern at xxxx.local
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge:
Matched entry DEFAULT at line 12
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge:
EAP-Message =
0x0108003d1580000000331403030001011603030028c60ef4913a4a2a8bb545cc619ee5234cfe5c72511aa4d7a9073353f78e23a1189af29a397d34563c
allowed by EAP-Message =* 0x
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge:
Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge:
Message-Authenticator = 0x00000000000000000000000000000000 allowed by
Message-Authenticator =* 0x
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge:
Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge: State
= 0x3629afbd3321ba42cccfd968ddb33519 allowed by State =* 0x
Mon Dec 28 12:00:08 2020 : Debug: (13) attr_filter.access_challenge:
Attribute "State" allowed by 1 rules, disallowed by 0 rules
Mon Dec 28 12:00:08 2020 : Debug: (13) modsingle[post-auth]: returned from
attr_filter.access_challenge (rlm_attr_filter)
Mon Dec 28 12:00:08 2020 : Debug: (13)
[attr_filter.access_challenge.post-auth] = updated
Mon Dec 28 12:00:08 2020 : Debug: (13) } # Post-Auth-Type Challenge =
updated
Mon Dec 28 12:00:08 2020 : Debug: (13) session-state: Nothing to cache
Mon Dec 28 12:00:08 2020 : Debug: (13) Sent Access-Challenge Id 133 from
192.168.31.183:1812 to 192.168.31.238:32772 length 0
Mon Dec 28 12:00:08 2020 : Debug: (13) EAP-Message =
0x0108003d1580000000331403030001011603030028c60ef4913a4a2a8bb545cc619ee5234cfe5c72511aa4d7a9073353f78e23a1189af29a397d34563c
Mon Dec 28 12:00:08 2020 : Debug: (13) Message-Authenticator =
0x00000000000000000000000000000000
Mon Dec 28 12:00:08 2020 : Debug: (13) State =
0x3629afbd3321ba42cccfd968ddb33519
Mon Dec 28 12:00:08 2020 : Debug: (13) Finished request
Mon Dec 28 12:00:08 2020 : Debug: Waking up in 4.9 seconds.
Mon Dec 28 12:00:13 2020 : Debug: (8) Cleaning up request packet ID 128
with timestamp +1442
Mon Dec 28 12:00:13 2020 : Debug: (9) Cleaning up request packet ID 129
with timestamp +1442
Mon Dec 28 12:00:13 2020 : Debug: (10) Cleaning up request packet ID 130
with timestamp +1442
Mon Dec 28 12:00:13 2020 : Debug: (11) Cleaning up request packet ID 131
with timestamp +1442
Mon Dec 28 12:00:13 2020 : Debug: (12) Cleaning up request packet ID 132
with timestamp +1442
Mon Dec 28 12:00:13 2020 : Debug: (13) Cleaning up request packet ID 133
with timestamp +1442
Mon Dec 28 12:00:13 2020 : Info: Ready to process requests