Intermediate-Trust certificate issues

Hector Rodriguez hector.rodriguez at westcare.com
Fri May 1 18:35:10 UTC 2026 

Hello,

  I hope everyone is well. Currently I have implemented Free Radius in a test environment with EAP-TLS mode enabled. My environment currently has a two tier PKI (CA Root and Ca Issuer within the Intune Microsoft Cloud PKI environment) . Our Free Radius server is configured to have an SSL from the CA server installed within my Free Radius Server, which is generated by the CA config. Our Root CA and Issuer CA certificates have been imported from Intune, and converted from Cer to PEM/CRT file formats, and the EAP config file has been edited to point to a bundled (full chain ) Issuer CA cert. The server's certificate store has been updated to trust the Microsoft CA and Issuer CA for our environment . I have created a configuration profile within Intune to grant machines (in my case, just a test machine) to install both CA ROOT and Issuer certs to their prespective certificate store.  Public certs are owned by the freerad user and currently have the 755 permissions
   Another thing to note is that we are currently using a Unifi switch and we have set the controller profile to authenticate with Radius. I have been going a bit insane trying to figure out why the Free Radius server is not trusting my intermediate certificate when I have clearly followed the appropriate instructions. No matter what I do the intermediate cert is not trusted. Authentication only occurs when I set:reject_unknown_intermediate_ca  to No. I have been notciing that other users have a similar issue, with PKI's related to Microsoft Cloud PKI. Do you thing there will be a fix. Is there anything that I can do for this issue ? Although it seems unsafe, do you think it would be Ok, to  set reject_unknown_intermediate_ca =no  ?

Piece of my log errors:

Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [1] subject name /C=US/ST=test/L=testn/OU=Information Technology/O=test-site Inc/CN=Test-Issuing-Cloud-CA1
(TLS) untrusted certificate with depth [0] subject name /CN=AP-tesetmachine
tls: There are untrusted certificates in the certificate chain.  Rejecting.
(13) eap_tls: (TLS) TLS - send TLS 1.3 Alert, fatal internal_error
(13) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error
(13) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(13) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed
(13) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(13) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(13) eap_tls: ERROR: [eaptls process] = fail
(13) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(13) eap: Sending EAP Failure (code 4) ID 10 length 4
(13) eap: Failed in EAP select
(13)     [eap] = invalid
(13)   } # authenticate = invalid
(13) Failed to authenticate the user
(13) Using Post-Auth-Type Reject
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13)   Post-Auth-Type REJECT {
(13) attr_filter.access_reject: EXPAND %{User-Name}


Thank you !





















[cid:59049752-c8e4-4c9b-8b16-c6e2ede5715f]<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
Book time to meet with me<https://outlook.office.com/bookwithme/user/af4e411e9f3847489776fafebd3877b9@westcare.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>
-- CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication may contain material protected by HIPAA legislation (45 CFR, Parts 160 & 164) or by 42 CFR Part 2. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error, please notify the sender by reply email and destroy all copies of the original message. ­­
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-x0wv523f.png
Type: image/png
Size: 528 bytes
Desc: Outlook-x0wv523f.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260501/6c3c3324/attachment.png>

More information about the Freeradius-Users mailing list