Upgrading to 3.2.10 Breaks EAP-TLS
Hector Rodriguez
hector.rodriguez at westcare.com
Fri Jun 12 17:36:19 UTC 2026
Community,
It seems that I fixed my issue with EAP-TLS after the new update. In the code below you will see : "configurable_client_cert = yes" and "EAP-TLS-Require-Client-Cert = yes" . If both are enabled and set to yes, it would cause conflict. It seems that I had to comment out "configurable_client_cert = yes" in order for EAP-TLS to work correctly. Based on the comment, it seems that both "configurable_client_cert = yes" and "EAP-TLS-Require-Client-Cert = yes" should work together, but it does not. I hope that the change I made is the correct one, which makes the server require a client cert.
Within the EAP configs there is a section which states the following:
tls {
# Point to the common TLS configuration
#
tls = tls-common
# As part of checking a client certificate, the EAP-TLS
# sets some attributes such as TLS-Client-Cert-Common-Name. This
# virtual server has access to these attributes, and can
# be used to accept or reject the request.
#
### virtual_server = check-eap-tls
# You can control whether or not EAP-TLS requires a
# client certificate by setting
#
## configurable_client_cert = yes
#
# Once that setting has been changed, you can then set
#
## EAP-TLS-Require-Client-Cert = yes
#
# in the control items for a request, and the EAP-TLS
# module will not require a client certificate from
## EAP-TLS-Require-Client-Cert = yes
#
[https://res.public.onecdn.static.microsoft/assets/bookwithme/misc/CalendarPerson20px.png]<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
Book time to meet with me<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
From: Hector Rodriguez <hector.rodriguez at westcare.com>
Sent: Wednesday, June 10, 2026 11:31 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Upgrading to 3.2.10 Breaks EAP-TLS
Community,
After upgrading to the latest and greatest, I have authentication issues again with EAP-TLS. TLS handshake has no issues, but my Windows 11 client does not want to authenticate anymore. Certs were checked, no warning , successful handshakes.
Should I revert back 3.2.9 ? Everything worked in the last version, but release notes stated there were memory leak issues.
[cid:image001.png at 01DCFA6F.5AC29E10]<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
Book time to meet with me<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
-- CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication may contain material protected by HIPAA legislation (45 CFR, Parts 160 & 164) or by 42 CFR Part 2. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error, please notify the sender by reply email and destroy all copies of the original message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 528 bytes
Desc: image001.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260612/4bb4e59f/attachment.png>
More information about the Freeradius-Users
mailing list