We are documenting the architecture and configuration of freeradius 3.0.11 deployed. We need confirmation on two doubts about EAP-TLS connection. After documenting SSL Chain Verification and reviewing the Red Hat Certificate System document, we want you to confirm that we are in the correct assumption. https://access.redhat.com/documentation/en-US/Red_Hat_ Certificate_System/8.0/html/Deployment_Guide/Introduction_ to_Public_Key_Cryptography-Certificates_and_Authentication.html# Certificates_and_Authentication-How_CA_Certificates_Establish_Trust Configuration: - CA del server (/etc/pki/CApath.client) donde tenemos 1x rootCA.pem y 1x issuingCA-1.pem (issued by rootca.pem) - server.pem issued by issuingCA-1.pem - client cert issued by other issuingCA-2.pem (not on local CA of freeradius server) - issuingCA-2.pem issued by same rootCA.pem (same keyid too) --- When the mentioned client with cert-client-issued-by-issuingCA-2.pem try connecting to radius: *Case 1: client sends issuingCA-2.pem certificate during ssl negotiation. Although radius does not have it in your local CA, radius will be able to complete the chain according to the ssl-chain-verification documentation, the client's certificate is signed by issuingCA-2 and signed by rootCA.pem that it does, correct? *Case 2: client does not send the issuingCA-2.pem certificate, it will not be able to complete the chain and should deny the connection, right? --- I understand that the OCSP server, if you send the certificate of the intermediate CA will verify it as it does with the certificate of the client. But when freeradius checks the client's certificate via OCSP, does it verify during the same connection (request) the certificate of the intermediate CA? Or is that done only at the checkpoint of the CRL? == **eap config eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = private_key_file = ${certdir}/private/server.key certificate_file = ${certdir}/certs/server.pem dh_file = ${certdir}/private/dh ca_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes max_entries = 255 } verify { skip_if_ocsp_ok = yes tmpdir = /var/tmp/radiusd/verify client = "/usr/bin/openssl verify -CApath ${..ca_path} -crl_check_all %{TLS-Client-Cert-Filename}" } ocsp { enable = yes timeout = 4 softfail = yes } } tls { tls = tls-common virtual_server = check-eap-tls } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } mschapv2 { } } Thanks Best regards