FreeRADIUS EAP-TLS and SSL certificate chains

Phil Mayers p.mayers at
Fri Feb 20 13:28:02 CET 2009

> We have exactly the same setup - verisign root->intermediate->our cert. 
> What happens with an XP client on our WPA EAP-PEAP network is exactly 
> the same as documented here:

Also - for info, when I take a "tcpdump" of eapol_test against 
FreeRadius, the TLS records over EAP go as follows:

C : client hello
FR: server hello, certs x2 [my server cert, intermediate ca], hello done
C : client key exch, change cipher, encrypted handshake
FR: change cipher, encrypted handshake

...that is, FreeRadius *is* sending back the intermediate certificate to 
the client - but as I say, a post-SP2 change to XP appears to not 
automatically "trust" it.

Our config is as follows:

eap {
   tls {
     private_key_file = ${confdir}/certs/wireless4.key
     certificate_file = ${confdir}/certs/wireless4-verisign-crt.pem

     # note: this is *our* local CA, trusted for EAP-TLS client certs
     CA_file = ${confdir}/certs/ICca.pem
   # and peap later on

...the file "wireless4-verisign-crt.pem" contains:

...our cert
...intermediate cert

More information about the Freeradius-Users mailing list