Radius TTLS Issues PMP450 RockyLinux 9

I am changing out my radius servers and the certificates that I use during radius authentication. I want to use a current version of CentOS (RockyLinux 9) and my certificates expired a year ago.

Setup (RPMs come from RockyLinux):
FreeRadius 3.0.21-26
openssl-3.0.1-43

I have generated new certificates (the old certificates were not compatible with how openSSL is compiled on Rocky). There is no complaining by FreeRadius on my configurations which I verified against my old server, documentation on Cambium’s site, and my notes from over 10 years ago. I have tried eapsttls and eapspeap and will include the log segment from both which is nearly identical. For some reason there is a TLS 1.3 handshake happening and I am at a loss for the reason. I understand that FreeRadius supports only up to TLS 1.2. I have deleted my configuration and started over, generated new certs, etc. I am at a loss as to what is wrong.

TTLS eapttls

(1) eap: Expiring EAP session with state 0xdaa83f01daaa2a05
(1) eap: Finished EAP session with state 0xdaa83f01daaa2a05
(1) eap: Previous EAP request found for state 0xdaa83f01daaa2a05, released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 58 bytes
(1) eap_ttls: (TLS) EAP Got all data (58 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) send TLS 1.0 Alert, fatal protocol_version
(1) eap_ttls: ERROR: (TLS) Alert write:fatal:protocol version
(1) eap_ttls: ERROR: (TLS) Server : Error in error
(1) eap_ttls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol
(1) eap_ttls: ERROR: (TLS) System call (I/O) error (-1)
(1) eap_ttls: ERROR: (TLS) EAP Receive handshake failed during operation
(1) eap_ttls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject

TTLS eappeap

(2) eap: Expiring EAP session with state 0xa19e2913a09d3085
(2) eap: Finished EAP session with state 0xa19e2913a09d3085
(2) eap: Previous EAP request found for state 0xa19e2913a09d3085, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 58 bytes
(2) eap_peap: (TLS) EAP Got all data (58 bytes)
(2) eap_peap: (TLS) Handshake state - before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
(2) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
(2) eap_peap: ERROR: (TLS) Server : Error in error
(2) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol
(2) eap_peap: ERROR: (TLS) System call (I/O) error (-1)
(2) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 3 length 4
(2) eap: Failed in EAP select
(2) [eap] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject

On my old server this is what I get and expect…

(28) eap: Expiring EAP session with state 0xae1594b9abad81a1
(28) eap: Finished EAP session with state 0xae1594b9abad81a1
(28) eap: Previous EAP request found for state 0xae1594b9abad81a1, released from the list
(28) eap: Peer sent packet with method EAP TTLS (21)
(28) eap: Calling submodule eap_ttls to process data
(28) eap_ttls: Authenticate
(28) eap_ttls: Continuing EAP-TLS
(28) eap_ttls: Peer ACKed our handshake fragment. handshake is finished
(28) eap_ttls: [eaptls verify] = success
(28) eap_ttls: [eaptls process] = success

Try restricting the TLS versions allowed in the radius configuration: