I checked again my 2 radius servers ; if I set " reject_unknown_intermediate_ca = yes" : - 3.0.20 (PROD) : eap-tls auth. is ok - 3.2.3 (DEV): eap-tls auth. is broken Same OS version, same OpenSSL version, same Radius config. -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 23 janvier 2024 15:08 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: FreeRADIUS EAP-TLS Auth. Issues Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur. On Jan 23, 2024, at 8:51 AM, SENECAUX Ludovic <Ludovic.SENECAUX@lenord.fr> wrote:
I set "auto_chain = yes" ; the result is the same.
ca_file = ${cadir}/chain.pem This file already contains rootca and subca certificates.
OK, that's good.
Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /CN=SubCA (TLS) untrusted certificate with depth [0] subject name /CN=device Which certificates are those for? rootca.pem? subca.pem?
The device cert is signed by subca, which is signed by rootca.
Except the rootca isn't printed out in that list. So for some reason it's not loading the rootca. Alan DeKok. - List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=SVN0TjFBb1k5Qk8zQ2E1YSrRLmYqeZ4CQFZ...