AW: EAP TLS Server certificate error

Talkabout talk.about at
Mon Mar 23 17:16:48 CET 2020

Hi Thomas,

is it possible that the „old“ certificate authority is trused on the Client but the new one is not? Have you installed the new CA on the Client machine?


Gesendet von Mail für Windows 10

Von: Thomas Manninger
Gesendet: Montag, 23. März 2020 16:45
An: freeradius-users at
Betreff: EAP TLS Server certificate error

   Hi Mailing list,

   i installed freeradius on debian 9 for X802.1 authentication, which
   should replace an old freeradius server.

   For the new radius server, i generated a new CA for the client
   certificates and deployed the certificate on some clients.
   I also generated a certificate for the freeradius server (with the same

   tls-config tls-common {
       certdir = ${confdir}/certs
       cadir = ${confdir}/certs
       private_key_file = ${certdir}/server.key
       certificate_file = ${certdir}/server.crt
       dh_file = ${certdir}/dh
       ca_path = ${cadir}
       check_cert_cn = %{User-Name}
       cipher_list = "DEFAULT"

   When a client tries to authenticate, i get the following radius output:
   (7) auth_log:    --> Mon Mar 23 15:42:14 2020
   (7)     [auth_log] = ok
   (7)     if (!EAP-Message) {
   (7)     if (!EAP-Message)  -> FALSE
   (7)     else {
   (7) eap: Peer sent EAP Response (code 2) ID 15 length 17
   (7) eap: No EAP Start, assuming it's an on-going EAP conversation
   (7)       [eap] = updated
   (7) files_x802_1_cert_auth: users: Matched entry XXXXXX at line 163
   (7)       [files_x802_1_cert_auth] = ok
   (7)     } # else = updated
   (7)   } # authorize = updated
   (7) Found Auth-Type = eap
   (7) # Executing group from file
   (7)   authenticate {
   (7) eap: Expiring EAP session with state 0x5b409518594a9812
   (7) eap: Finished EAP session with state 0xfcae8891ffa18542
   (7) eap: Previous EAP request found for state 0xfcae8891ffa18542,
   released from the list
   (7) eap: Peer sent packet with method EAP TLS (13)
   (7) eap: Calling submodule eap_tls to process data
   (7) eap_tls: Continuing EAP-TLS
   (7) eap_tls: Peer indicated complete TLS record size will be 7 bytes
   (7) eap_tls: Got complete TLS record (7 bytes)
   (7) eap_tls: [eaptls verify] = length included
   (7) eap_tls: <<< recv TLS 1.2  [length 0002]
   (7) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
   (7) eap_tls: ERROR: System call (I/O) error (-1)
   (7) eap_tls: ERROR: TLS receive handshake failed during operation
   (7) eap_tls: ERROR: [eaptls process] = fail
   (7) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module

   But, when i replace the ${certdir}/server.key and ${certdir}/server.crt
   with the server certificate from the old server, x802.1 authentication
   works (why??)

   Can someone help me?
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list