802.1x Authentication fails while CHAP authentication succeeds

This document (7001667) is provided subject to the disclaimer at the end of this document.


FreeRADIUS configured to use EAP in any SSL/TLS format
... and one of ...
Microsoft Windows XP Professional
... or ...
Microsoft Windows 2000


Authentication fails from a Microsoft Windows workstation, while using CHAP from the NTRadPing utility (or any service utilizing CHAP) successfully authenticate.  In the FreeRADIUS "radiusd -X" output while attempting authentication :

rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate


When rlm_eap_tls encounters an SSL failure, this is specifically because the workstation has failed to accept the SSL certificate used in the TLS-encrypted EAP communication.  This is remedied using one of two methods:

  • Procure a third party SSL certificate that the workstations trust
  • Reconfigure the workstation to not trust the SSL certificate by doing the following :
    1. Open the properties for the network connection on the workstation (e.g. "Wireless Network Connection Properties", "Wireless Networks", highlight the network desired, and then click on "Properties").  It should bring up a window that looks like:

    2. Click on the "Authentication" tab at the top.
    3. Click on the "Properties" button.  It should bring up a window that looks like:

    4. Ensure that "Validate server certificate" is NOT checked.

Additional Information

The SSL/TLS handshake errors occur because the workstation does not accept the SSL/TLS certificate provided by the FreeRADIUS server - usually because a self-signed SSL certificate has been used (one that has been signed by a non-recogniced certificate authority).  The excerpt from the "radiusd -X" output:
      rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
    TLS Alert read:fatal:bad certificate
        TLS_accept:failed in SSLv3 read client certificate A
    rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
    In SSL Handshake Phase
    In SSL Accept mode
    rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
      eaptls_process returned 13
      rlm_eap_peap: EAPTLS_HANDLED
      rlm_eap: Freeing handler
      modcall[authenticate]: module "eap" returns reject for request 19


    This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

    • Document ID:7001667
    • Creation Date: 16-Oct-2008
    • Modified Date:03-Mar-2020
      • SUSE Linux Enterprise Server

    < Back to Support Search

    For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

    SUSE Support Forums

    Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

    Join Our Community

    Support Resources

    Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

    SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
    Support FAQ

    Open an Incident

    Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

    Go to Customer Center