EAP-TLS cert validation with intermediate cert

Zetan Drableg zetan.drableg at gmail.com
Wed Sep 26 21:09:10 CEST 2018

In /etc/raddb/mods-enabled/eap
 client = "/usr/bin/openssl verify -CApath ${..ca_path}

Wpa_supplicant is sending a client certificate that is the client +
intermediate certificate concatenated. However freeradius only gets the
client certificate in TLS-Client-Cert-Filename and openssl fails
validation. I checked this by changing the client = verify command to copy
the certificate to /var/tmp so I could look at it.

I can verify the cert using
openssl verify -CAfile ca.pem -untrusted intermediate.pem client.pem
but the intermediate is not available to the radius server, or from the
received cert chain from the client. I think freeradius should be receiving
client+intermediate certs from wpa_client, but it's not.

Is there another Filename variable containing the intermediate?
Why is freeradius truncating the cert to only the client and removing the

freeradius 3.0.13

More information about the Freeradius-Users mailing list