My suggestion is to add the root and intermediate CAs to the "certificate_file", along with the server cert. This configuration tells the server (and OpenSSL) that this particular root CA and this particular intermediate CA are trusted. I already did that, but the issue is still there ...
-----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 23 janvier 2024 16:46 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: FreeRADIUS EAP-TLS Auth. Issues Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur. On Jan 23, 2024, at 10:30 AM, SENECAUX Ludovic <Ludovic.SENECAUX@lenord.fr> wrote:
It is the same virtual machine.
OK.
I reinstalled FR 3.0.20, and I saw the "reject_unknown_intermediate_ca" parameter does not exist in this version. If I add this to eap configuration, it is not loaded during server starts.
Yes it doesn't exist in 3.0.
So, is the value 'yes' implicit in this branch ?
No. The default value is "no". You can check this by running the server in debug mode, and looking for that configuration. My suggestion is to add the root and intermediate CAs to the "certificate_file", along with the server cert. This configuration tells the server (and OpenSSL) that this particular root CA and this particular intermediate CA are trusted. Alan DeKok. - List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=dnZZY1BRdGVud2p5a3J2MrifgZIIaCXUeH5...