FreeRADIUS EAP-TLS and SSL certificate chains

Phil Mayers p.mayers at
Fri Feb 20 13:12:06 CET 2009

Meyers, Dan wrote:
>>> I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
>> does
>>> not require a client certificate. My understanding however is that
> for
>>> passing of the server certificate to validate our server to the
>> clients
>>> the options with the tls subsection of the eap.conf file are still
>> used.
>> For that you need to export just the intermediate certificate used to
>> sign the server certificate onto the clients. They should have the
> root
>> one already.
>> Import intermediate certificate (.der or .crt version) onto a client.
>> Copy server.crt onto the client desktop and see if Windows recongnized
>> the chain.
> Yes, if I import just the intermediate certificate to the client,
> install it, and then try and auth, the chain is picked up correctly (or
> if I just copy across the server cert and check it). But of course the
> reason for this is because the intermediate cert is then directly
> trusted by the client, and the server cert is signed by it.


It's unclear to me exactly:

  a. what you're expecting to happen
  b. what is happening

We have exactly the same setup - verisign root->intermediate->our cert. 
What happens with an XP client on our WPA EAP-PEAP network is exactly 
the same as documented here:

...that is, after clicking all the tedious boxes in XP, once connecting 
a dialog box pops up as per page 6 of the PDF above. Once clicked, the 
user is never prompted again.

As per my email on the DOT1X list the other day, this is (we believe) a 
behaviour change from a vanilla windows XP SP2 install i.e. one of the 
hotfixes changed something.

Certainly when we tested a vanilla XP SP2 install against our current 
cert chain, it worked straight through, but a fully-hotfixed install did 

Is this what you're seeing?

More information about the Freeradius-Users mailing list