Hi List, at work, I have the following requirements for IP phones which should be authenticated before joining the network: - Root CA --> Sub CA --> Device certificates - The phones have the Sub CA certificate locally installed as "trustworthy" (NOT the Root CA certificate!) - The RADIUS server must only send its server certificate (not the whole chain) - The phones only send their device certificate to the RADIUS server I tried to build this scenario with FreeRADIUS (2.1.10, on Debian), but got stuck at the following points: - I only put the RADIUS server certificate to certificate_file. But as soon as CA_path or CA_file are set, FreeRADIUS sends the whole certficiate chain to the phone. - As soon as I unset CA_path and CA_file, FreeRADIUS sends only the content of certificate_file to the phone, which is what I want. Of course, phone certificate checking then doesn't work anymore. - So I thought that I implement phone certificate checking using the "verify" block. But this only seems to work "on top" of the built-in certificate checking. Does anybody have a hint? Thanks, Sven