Problem using FreeRADIUS with EAP authentication and Intermediate CA

[PlexingtonSteel]

Hi!

I found several unsolved Topics regarding my problem, so I open a new one.

For a "branch office like location" I build an all in one OPNsense device with integrated WiFi-N.
The WiFi access is supposed to be handled by the integrated RADIUS service with certificate based EAP authentication.

My Setup consists of the following CA structure:
Root CA -> Intermediate CA -> Intermediate Issuing CA -> User Certificates.
The "Intermediate Issuing CA" is set as the "Root Certificate" in the RADIUS settings.
WiFi is working and authentication requests are forwarded to the RADIUS service but RADIUS is not able to handle the authentication of the user.

With "radiusd -X" I get the following error:

(9) eap_tls: (TLS) EAP Got final fragment (674 bytes)
(9) eap_tls: (TLS) EAP Done initial handshake
(9) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(9) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(9) eap_tls: (TLS) Creating attributes from server certificate
(9) eap_tls:   TLS-Cert-Serial := "04"
(9) eap_tls:   TLS-Cert-Expiration := "270710100208Z"
(9) eap_tls:   TLS-Cert-Valid-Since := "220905100208Z"
(9) eap_tls:   TLS-Cert-Subject := "/CN=Intermediate Issuing CA/C=Country/ST=State/L=City/O=Org/OU=Org Unit"
(9) eap_tls:   TLS-Cert-Issuer := "/CN=Intermediate CA/C=Country/ST=State/L=City/O=Org/OU=Org Unit"
(9) eap_tls:   TLS-Cert-Common-Name := "Intermediate Issuing CA"
(9) eap_tls:   ERROR: (TLS) OpenSSL says error 2 : unable to get issuer certificate
(9) eap_tls: (TLS) send TLS 1.2 Alert, fatal unknown_ca
(9) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
(9) eap_tls: ERROR: (TLS) Server : Error in error
(9) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
(9) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(9) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(9) eap_tls: ERROR: [eaptls process] = fail

It seems like the RADIUS service or OpenSSL in this case can't verify its own configured CA to verify the incoming client certificate.
When I use the "Root CA" instead and issue & use a client certificate directly from it, RADIUS is able to authenticate the request and grant access.
If I configure the "Root CA" as CA and use a client certificate issued by the "Intermediate Issuing CA" it logically can't verify it either.

All three CAs are installed in the trust store of OPNsense.
I played with the option System -> Settings -> General -> Trust -> Store intermediate but without success.

The /usr/local/etc/raddb/certs/cert_opn.pem file contains the whole chain for the server certificate.
But /usr/local/etc/raddb/certs/ca_opn.pem only contains the "Intermediate Issuing CA" certificate without the chain.
Might that be the problem? Wasn't able to test it, the files are obviously recreated after a service restart.

[mimugmail]

Just a test .. can you download the root ca and intermediate and add a new CA adding the root first and below the intermediate at once and try again?

[PlexingtonSteel]

Ok, thats working. Didn't know adding the chain in the trust store was an option. Wasn't even necessary to delete the old certificate, just had to edit it, restart the FreeRADIUS service and now its working as intended.
Thanks a lot for this simple solution.