FreeRADIUS EAP-TLS Auth. Issues

Alan DeKok aland at
Tue Jan 23 15:45:52 UTC 2024

On Jan 23, 2024, at 10:30 AM, SENECAUX Ludovic <Ludovic.SENECAUX at> wrote:
> It is the same virtual machine.


> I reinstalled FR 3.0.20, and I saw the "reject_unknown_intermediate_ca" parameter does not exist in this version. 
> If I add this to eap configuration, it is not loaded during server starts.

  Yes it doesn't exist in 3.0.

> So, is the value 'yes' implicit in this branch ?

  No.  The default value is "no".

  You can check this by running the server in debug mode, and looking for that configuration.

  My suggestion is to add the root and intermediate CAs to the "certificate_file", along with the server cert.  This configuration tells the server (and OpenSSL) that this particular root CA and this particular intermediate CA are trusted.

  Alan DeKok.

More information about the Freeradius-Users mailing list