FreeRADIUS EAP-TLS Auth. Issues
Andrew Lowther
alowther at gmail.com
Wed Jan 24 05:52:16 UTC 2024
FWIW, I had the same experience using FreeRADIUS 3.2.3 on Ubuntu
22.04. EAP-TLS authentication would always fail when using the
configuration
reject_unknown_intermediate_ca = yes
When the server ran in debug mode it would print something like
Warning: Certificate chain - 1 cert(s) untrusted
Warning: (TLS) untrusted certificate with depth [1] subject name
/CN=IntermediateCA
Warning: (TLS) untrusted certificate with depth [0] subject name /CN=Client
Auth: tls: There are untrusted certificates in the certificate chain.
Rejecting.
The server debug output will print all the certificates in the chain
that the client provides. Removing the Intermediate CA from the
server could change the output to
Warning: Certificate chain - 2 cert(s) untrusted
but there was always at least 1 cert(s) untrusted.
My suspicion is that the Intermediate is not causing the problem. I
suspect the call to X509_STORE_CTX_get0_untrusted returns the leaf
certificate that the client provided as untrusted. I did not
understand the code well enough to confirm my suspicion.
More information about the Freeradius-Users
mailing list