As freeradius validates the client certificate on an EAP-TLS connection and OCSP

Miguel Hinojosa miguel.hinojosa at
Tue Apr 11 16:46:03 CEST 2017

We are documenting the architecture and configuration of freeradius 3.0.11
deployed. We need confirmation on two doubts about EAP-TLS connection.

After documenting SSL Chain Verification and reviewing the Red Hat
Certificate System document, we want you to confirm that we are in the
correct assumption.

- CA del server (/etc/pki/CApath.client) donde tenemos 1x rootCA.pem y
1x issuingCA-1.pem (issued by rootca.pem)
- server.pem issued by issuingCA-1.pem
- client cert issued by other issuingCA-2.pem (not on local CA of
freeradius server)
- issuingCA-2.pem issued by same rootCA.pem (same keyid too)


When the mentioned client with cert-client-issued-by-issuingCA-2.pem
try connecting to radius:
*Case 1: client sends issuingCA-2.pem certificate during ssl
negotiation. Although radius does not have it in your local CA, radius
will be able to complete the chain according to the
ssl-chain-verification documentation, the client's certificate is
signed by issuingCA-2 and signed by rootCA.pem that it does, correct?
*Case 2: client does not send the issuingCA-2.pem certificate, it will
not be able to complete the chain and should deny the connection,


I understand that the OCSP server, if you send the certificate of the
intermediate CA will verify it as it does with the certificate of the

But when freeradius checks the client's certificate via OCSP, does it
verify during the same connection (request) the certificate of the
intermediate CA?
Or is that done only at the checkpoint of the CRL?

**eap config
eap {
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}
        tls-config tls-common {
                private_key_password =
                private_key_file = ${certdir}/private/server.key
                certificate_file = ${certdir}/certs/server.pem
                dh_file = ${certdir}/private/dh
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
                ecdh_curve = "prime256v1"
                cache {
                        enable = yes
                        max_entries = 255
                verify {
                        skip_if_ocsp_ok = yes
                        tmpdir = /var/tmp/radiusd/verify
                        client = "/usr/bin/openssl verify -CApath
${..ca_path} -crl_check_all %{TLS-Client-Cert-Filename}"
                ocsp {
                        enable = yes
                         timeout = 4
                        softfail = yes
        tls {
                tls = tls-common
                virtual_server = check-eap-tls
        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "inner-tunnel"
        mschapv2 {

Best regards

More information about the Freeradius-Users mailing list