PEAP - Intermediate CA

Meyers, Dan d.meyers at
Tue May 12 10:42:06 CEST 2009

I was having this exact same problem for a significant period of time
when I bought a new Verisign cert for our servers which was chained (the
old one being directly root signed, which Verisign no longer do). It
would appear to be a bug/security patch in XP sometime after SP2 that
causes this. Odds are, assuming you have set it up right (I used this
exact same list with some setup issues I was having) that FreeRadius
*is* sending your Intermediate CA to the client, but the client is
ignoring it. Using Wireshark or similar to packet dump should show you
how may certs you are being passed.

I am reliably informed by networking staff at another University who had
the same issue that if you try with a vanilla install of SP2 with no
additional security patches or similar then it will work correctly. At
some point after SP2 (They were not sure exactly which patch causes it)
certificate chaining for PEAP stops working. Windows Vista follows the
chain fine, as do various non-Microsoft OSes I tried. I didn't have a
vanilla XP SP2 to test and wasn't sufficiently bothered to make one, as
we weren't going to advise our users to remove security patches.

The setup I have is, in eap.conf under the tls section, certificate_file
points to a file which actually contains both the server cert and the
intermediate cert. The server cert is at the top of the file, with the
intermediate cert below. Very simple to do this, just cat the contents
of the intermediate cert file to be appended to the server cert file
(make sure both are the same file type. I had an issue initially where
one was DOS and one was Unix, so I go a lot of metacharacter rubbish
when I cat-ed one into the other). Wireshark shows FreeRadius is passing
both certs, and anything that isn't XP SP2 works fine. For XP SP2 we had
to supply the intermediate cert on our website and ask our users to
install it from the wired network in the connect instructions for using
wireless (which is where we were using PEAP).


> I am having an issue where FreeRadius is not handing the intermediate
> CA to a windows WPA2 client. We are in the process of deploying
> WPA2/AES with PEAP. So we purchased a certificate from a company that
> has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was
> signed with there intermediate CA, so the OS will not vailded the
> certificate during authentication.
> The only solution seems to be installing the intermediate CA
> on all my clients (2,000-3,000). If it possible to chain the
> certificates together like you can in Apache?

More information about the Freeradius-Users mailing list