FreeRADIUS EAP-TLS and SSL certificate chains

[Meyers, Dan]

> >I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
> does
> >not require a client certificate. My understanding however is that
for
> >passing of the server certificate to validate our server to the
> clients
> >the options with the tls subsection of the eap.conf file are still
> used.
> >
> 
> For that you need to export just the intermediate certificate used to
> sign the server certificate onto the clients. They should have the
root
> one already.
> 
> Import intermediate certificate (.der or .crt version) onto a client.
> Copy server.crt onto the client desktop and see if Windows recongnized
> the chain.

Yes, if I import just the intermediate certificate to the client,
install it, and then try and auth, the chain is picked up correctly (or
if I just copy across the server cert and check it). But of course the
reason for this is because the intermediate cert is then directly
trusted by the client, and the server cert is signed by it.

This was my reasoning for thinking that FreeRADIUS was not passing the
intermediate cert when the auth attempt was being made. I did originally
think it should work without the root cert, because the client already
had that, and only installed it as well as the intermediate cert when I
failed to get the output I expected just using the intermediate one.
Googling suggested that simply catting the 2 certs (server and
intermediate) into a single file (server at top, intermediate at bottom)
and listing that in the config as the certificate_file should work, but
it'd didn't seem to for me (and i've checked the file formats this
time). The client got the server cert, but still didn't pick up the
chain.

Dan