We have exactly the same setup - verisign root->intermediate->our cert. What happens with an XP client on our WPA EAP-PEAP network is exactly the same as documented here:
Also - for info, when I take a "tcpdump" of eapol_test against FreeRadius, the TLS records over EAP go as follows: C : client hello FR: server hello, certs x2 [my server cert, intermediate ca], hello done C : client key exch, change cipher, encrypted handshake FR: change cipher, encrypted handshake ...that is, FreeRadius *is* sending back the intermediate certificate to the client - but as I say, a post-SP2 change to XP appears to not automatically "trust" it. Our config is as follows: eap { tls { private_key_file = ${confdir}/certs/wireless4.key certificate_file = ${confdir}/certs/wireless4-verisign-crt.pem # note: this is *our* local CA, trusted for EAP-TLS client certs CA_file = ${confdir}/certs/ICca.pem } # and peap later on } ...the file "wireless4-verisign-crt.pem" contains: -----BEGIN CERTIFICATE----- ...our cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ...intermediate cert -----END CERTIFICATE-----