How to fix pfSense FreeRADIUS Login incorrect (eap_peap: TLS Alert read:fatal:access denied)

Problem:

When trying to login using WPA-EAP or 802.1X using the RADIUS protocol for authentication, you see an error message like

(235) Login incorrect (eap_peap: TLS Alert read:fatal:access denied): [uli/<via Auth-Type = eap>] (from client APs port 0 cli 98-55-2B-A9-76-B9)

Solution:

The issue in my case was that the CA certificate was not valid any more. Go to

Services => FreeRADIUS => EAP

and scroll down to Certificates for TLS

You need to choose correct, valid certificates for both the SSL CA Certificate and the SSL Server Certificate. The CA must be the CA that issued the server certificate: I recommend using a Let’s Encrypt certificate – if you do, be sure to select the correct Let’s Encrypt CA here!

My specific issue was that I had selected an old (expired) CA as SSL CA Certificate which caused some clients (mostly Windows) to fail certificate validation while other clients that ignored the CA certificate were able to connect properly.