In /etc/raddb/mods-enabled/eap client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" Wpa_supplicant is sending a client certificate that is the client + intermediate certificate concatenated. However freeradius only gets the client certificate in TLS-Client-Cert-Filename and openssl fails validation. I checked this by changing the client = verify command to copy the certificate to /var/tmp so I could look at it. I can verify the cert using openssl verify -CAfile ca.pem -untrusted intermediate.pem client.pem but the intermediate is not available to the radius server, or from the received cert chain from the client. I think freeradius should be receiving client+intermediate certs from wpa_client, but it's not. Is there another Filename variable containing the intermediate? Why is freeradius truncating the cert to only the client and removing the intermediate? freeradius 3.0.13