I set "auto_chain = yes" ; the result is the same.
ca_file = ${cadir}/chain.pem This file already contains rootca and subca certificates.
Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /CN=SubCA (TLS) untrusted certificate with depth [0] subject name /CN=device Which certificates are those for? rootca.pem? subca.pem?
The device cert is signed by subca, which is signed by rootca. Rgds, -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 23 janvier 2024 14:17 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: FreeRADIUS EAP-TLS Auth. Issues Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur. On Jan 23, 2024, at 7:59 AM, SENECAUX Ludovic <Ludovic.SENECAUX@lenord.fr> wrote:
I'm having an issue with FreeRADIUS 3.2.3 and the EAP module. It doesn't take into account my private PKI.
The server needs to be configured with the CA for any private PKI.
I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work. I have no issues with FreeRADIUS 3.0.x
I don't think we changed anything about certificate handling for CAs. All of this magic is handled by OpenSSL.
ca_file = ${cadir}/chain.pem
This file should contain the full CA chain in order. See the comments in mods-available/eap.
lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem -rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem -rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem -rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem
The rootca and subca should be OK. The ca_path references them. You may need to set "auto_chain = yes". See mods-available/eap.
... Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /CN=SubCA (TLS) untrusted certificate with depth [0] subject name /CN=device
Which certificates are those for? rootca.pem? subca.pem? Alan DeKok. - List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=M1hxaWZ5bnNuVExjSWtSa0Uu8Ud3bdVzDR9...