FreeRADIUS EAP-TLS and SSL certificate chains

Meyers, Dan d.meyers at
Mon Feb 23 11:01:54 CET 2009

> Dan,
> It's unclear to me exactly:
>   a. what you're expecting to happen
>   b. what is happening
> We have exactly the same setup - verisign root->intermediate->our
> What happens with an XP client on our WPA EAP-PEAP network is exactly
> the same as documented here:
> ...that is, after clicking all the tedious boxes in XP, once
> a dialog box pops up as per page 6 of the PDF above. Once clicked, the
> user is never prompted again.

Yes, this is the behaviour we are seeing too. The issue is that, with
said popup and a directly root-signed cert, you can click on the 'View
Server Certificate' button and see that it is trusted to a known root,
and Windows says something along the lines of 'This is a trusted
certificate'. The reason we shifted to using a Verisign cert instead of
a self-signed one with the right bits set was that we were getting a
surprisingly large number of users refusing to accept a cert that
windows flashed up as 'Untrusted. Warning, this certificate cannot be
traced to a known trusted root etc etc' (or whatever the actual text is,
I can't recall offhand), and then complaining that they couldn't get on
the wireless network. It was easier to get a 'proper' cert from Verisign
than it was to try and get all our users to install our local CA on
their personal machines. Now that Verisign are using an Intermediate CA
the cert we have paid for is no better than a self signed one in this

The chain does get picked up correctly in Vista, which backs up your
point of it being an XP specific issue and nothing to do with
FreeRADIUS. I was unfortunately testing on XP only as that is the only
Windows I had readily available. If it used to work then God knows why
MS decided to break it in a security update, but bring the functionality
back in Vista. Unfortunately the majority of our users are still on XP.

Thanks all for your help.


More information about the Freeradius-Users mailing list