diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 0dd15a9be..c2e0cf0c8 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -305,6 +305,8 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
 
 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 {
+	char buf[20];
+
 	if (data->tls_out) {
 		/* This should not happen.. */
 		wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
@@ -327,6 +329,11 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 		return -1;
 	}
 
+	if (tls_get_version(sm->ssl_ctx, data->conn, buf, sizeof(buf)) == 0) {
+		wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
+		data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
+	}
+
 	return 0;
 }
 
diff --git a/src/eap_server/eap_tls_common.h b/src/eap_server/eap_tls_common.h
index e68cb2dc9..31f6e72d7 100644
--- a/src/eap_server/eap_tls_common.h
+++ b/src/eap_server/eap_tls_common.h
@@ -50,6 +50,11 @@ struct eap_ssl_data {
 
 	enum { MSG, FRAG_ACK, WAIT_FRAG_ACK } state;
 	struct wpabuf tmpbuf;
+
+	/**
+	 * tls_v13 - Whether TLS v1.3 or newer is used
+	 */
+	int tls_v13;
 };