I was having this exact same problem for a significant period of time when I bought a new Verisign cert for our servers which was chained (the old one being directly root signed, which Verisign no longer do). It would appear to be a bug/security patch in XP sometime after SP2 that causes this. Odds are, assuming you have set it up right (I used this exact same list with some setup issues I was having) that FreeRadius *is* sending your Intermediate CA to the client, but the client is ignoring it. Using Wireshark or similar to packet dump should show you how may certs you are being passed. I am reliably informed by networking staff at another University who had the same issue that if you try with a vanilla install of SP2 with no additional security patches or similar then it will work correctly. At some point after SP2 (They were not sure exactly which patch causes it) certificate chaining for PEAP stops working. Windows Vista follows the chain fine, as do various non-Microsoft OSes I tried. I didn't have a vanilla XP SP2 to test and wasn't sufficiently bothered to make one, as we weren't going to advise our users to remove security patches. The setup I have is, in eap.conf under the tls section, certificate_file points to a file which actually contains both the server cert and the intermediate cert. The server cert is at the top of the file, with the intermediate cert below. Very simple to do this, just cat the contents of the intermediate cert file to be appended to the server cert file (make sure both are the same file type. I had an issue initially where one was DOS and one was Unix, so I go a lot of metacharacter rubbish when I cat-ed one into the other). Wireshark shows FreeRadius is passing both certs, and anything that isn't XP SP2 works fine. For XP SP2 we had to supply the intermediate cert on our website and ask our users to install it from the wired network in the connect instructions for using wireless (which is where we were using PEAP). Dan
I am having an issue where FreeRadius is not handing the intermediate CA to a windows WPA2 client. We are in the process of deploying WPA2/AES with PEAP. So we purchased a certificate from a company that has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed with there intermediate CA, so the OS will not vailded the certificate during authentication.
The only solution seems to be installing the intermediate CA certifcate on all my clients (2,000-3,000). If it possible to chain the certificates together like you can in Apache?