On Jan 23, 2024, at 7:59 AM, SENECAUX Ludovic <Ludovic.SENECAUX@lenord.fr> wrote:
I'm having an issue with FreeRADIUS 3.2.3 and the EAP module. It doesn't take into account my private PKI.
The server needs to be configured with the CA for any private PKI.
I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work. I have no issues with FreeRADIUS 3.0.x
I don't think we changed anything about certificate handling for CAs. All of this magic is handled by OpenSSL.
ca_file = ${cadir}/chain.pem
This file should contain the full CA chain in order. See the comments in mods-available/eap.
lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem -rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem -rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem -rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem
The rootca and subca should be OK. The ca_path references them. You may need to set "auto_chain = yes". See mods-available/eap.
... Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /CN=SubCA (TLS) untrusted certificate with depth [0] subject name /CN=device
Which certificates are those for? rootca.pem? subca.pem? Alan DeKok.