PEAP - Intermediate CA

Alan DeKok aland at
Tue May 12 09:31:47 CEST 2009

CJ O wrote:
> I am having an issue where FreeRadius is not handing the intermediate CA
> to a windows WPA2 client. We are in the process of deploying WPA2/AES
> with PEAP. So we purchased a certificate from a company that has a
> Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed
> with there intermediate CA, so the OS will not vailded the certificate
> during authentication.

  So long as the CA chain is intact, this should work.

> The only solution seems to be installing the intermediate CA certifcate
> on all my clients (2,000-3,000). If it possible to chain the
> certificates together like you can in Apache?

  Yes.  But you need to install the CA chain on the RADIUS server.  See

			#  If CA_file (below) is not used, then the
			#  certificate_file below MUST include not
			#  only the server certificate, but ALSO all
			#  of the CA certificates used to sign the
			#  server certificate.
			certificate_file = ${certdir}/server.pem

  Odds are you didn't include the intermediate certificates in the
RADIUS configuration.

  Alan DeKok.

More information about the Freeradius-Users mailing list