Hello list, I am successfully using Freeradius in our Wifi environment using EAP-TLS in single-CA environment - i.e same CA was used to sign both server and clients SSL certificates. Now I have started to use new certificate PKI with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I wanted to keep existing legacy CA in place. This means: - that I wanted to use client certificates issued by two different CA's for EAP-TLS authentication - and as I mentioned before, the new CA is a subCA of new rootCA. - and server certificate is signed still using legacy CA I looked over older posts and it looks that this scenario is supported by freeradius and can be achieved in two ways: - using CA_file (within tls section in eap.conf) pointing to file bundling all CA related certificates (i.e. legacy CA, new SubCA and RootCA), or - using CA_path pointing to directory with separate CA *.pem files (and running "c_rehash" over that directory). both subCA and rootCA in single pem file (but I tried to separate it as well) The problem is, that everytime I wanted to authenticate with client using certificate signed by subCA, I always get: [campuswifi] Request found, released from the list [campuswifi] EAP/tls [campuswifi] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 03d6], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [campuswifi] Handler failed in EAP/tls [campuswifi] Failed in EAP select Questions: - what I am doing wrong? Miss I anything in order to get working EAP-TLS authentication over both legacy CA and new CA? recall: please note that new CA is not self signed, but signed by another rootCA authority (created also by me). thanks for any help -- Ing. Michal Bruncko, PhD., CCNP, RHCSA