FreeRADIUS EAP-TLS Auth. Issues

Andrew Lowther alowther at
Wed Jan 24 05:52:16 UTC 2024

FWIW, I had the same experience using FreeRADIUS 3.2.3 on Ubuntu
22.04.  EAP-TLS authentication would always fail when using the

reject_unknown_intermediate_ca = yes

When the server ran in debug mode it would print something like

Warning: Certificate chain - 1 cert(s) untrusted
Warning: (TLS) untrusted certificate with depth [1] subject name
Warning: (TLS) untrusted certificate with depth [0] subject name /CN=Client
Auth: tls: There are untrusted certificates in the certificate chain.

The server debug output will print all the certificates in the chain
that the client provides.  Removing the Intermediate CA from the
server could change the output to

Warning: Certificate chain - 2 cert(s) untrusted

but there was always at least 1 cert(s) untrusted.

My suspicion is that the Intermediate is not causing the problem.  I
suspect the call to X509_STORE_CTX_get0_untrusted returns the leaf
certificate that the client provided as untrusted.    I did not
understand the code well enough to confirm my suspicion.

More information about the Freeradius-Users mailing list