PMP450 RADIUS user authentication certificate restrictions?

I'm trying to upload our RADIUS server's cert. It's reading the cert, but never shows on the list. Is. there a key-size restriction or something? The factory certs are sha1WithRSAEncryption size 1024. I have certs that are sha512WithRSAEncryption size 2048. Should these work?

Hi,

RADIUS Server cert is actually a list of CA and not server certificate.

When a radius session is established the server certificate presented by RADIUS server has to be signed by one of CA present on he radio, only then radio think it is talking to a trusted radius server and the connection proceeds.

I tried to upload a dummy CA (created using openssl) with RSA 208 bit key and SHA-512 and import is successful.

After reboot I can see certificate parameters also.

Thanks,

Chitrang

That is not my experience. I have a PMP450 running 15.2.0.1. I go to the "Accounts" configuration. It has the default certs installed. I delete "User Authentication Certificate 1" then upload my CA's intermediate cert. After I click the "Import Certificate" button, It says "Uploaded File" and "Error opening file.". The PEM certificate is included below.

-----BEGIN CERTIFICATE-----
MIIFpjCCA46gAwIBAgIUbpT2wYWC3B1DX116hZSWfKr3Vt4wDQYJKoZIhvcNAQEN
BQAwVTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFsbCBQb2ludHMgQnJvYWRiYW5k
MScwJQYDVQQDEx5BbGwgUG9pbnRzIEJyb2FkYmFuZCBSb290IENBIDEwHhcNMTYw
ODA1MTQyMzAwWhcNMzYwODA1MTAyMzAwWjBdMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUQWxsIFBvaW50cyBCcm9hZGJhbmQxLzAtBgNVBAMTJkFsbCBQb2ludHMgQnJv
YWRiYW5kIEludGVybWVkaWF0ZSBDQSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAxP3x3PKXSxNreGubknIn1pijd1AG4M2ynKeDEBiafYuljU5HYApv
NcQC+sOS3jHBzmMkT0jUV1h2PcRuR8ImfgHTSM/hh08qvxzYRK1GPzwsBQP7S6+s
N1jzK1+t78OTHAP8D2+KAshmhoseBAnibpQjUYR4dgVHQ3x+CcdYDiLXIqkyqGp0
eK0mkUdxkXdi4TmyKciSQwQ9d3xWeomXvWT75zQDEPfafkzBqjY9aZVnUKUMc7+B
YetwvUtr4l0gUmeWrtHmF62CgGsmxX4d06rKCXWV4/Xm8/lS3oZjt3d2Gg0irvAo
65Oyh8K2fzjZMnqEmH6Ob8zL5oUxCW6WgF3hhrqYekO8v2lohDiHY6mO9rJYmx9H
wNXkSofw0dHmj6U1OPDwy6TSjQyPUuG2bdw+qt9hVv4ri1SBPusoTgl/LeC8uFqL
Wf3hccPi1JWSIFM0Ir29zJ91NYA4394hO3HKDI5gS3n0kmxPpVnLC72elAHRXs07
l9oPoo+RM+L2AWi0LIhmMHA3oFfoTniPf8i/pabQi2oQtfMD24DJMW0Rge0UxDZp
ZcK1NbUkRw+yLaHO7AjpdnHBKZmHNYl1PnsprRGydXx7yFPRv3uGnfKt4Xlc/qg0
kBEO8Ua/YsyRAnkc13K4RJe6tQfWsIVT4DRRoK6kCyawTOYgnc7rBtECAwEAAaNm
MGQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
FKAk2XOpBvIq4Qr7XexArJ9Ff9SNMB8GA1UdIwQYMBaAFKD5YDhS5G2fG1Gk1/U5
g8oI6YcjMA0GCSqGSIb3DQEBDQUAA4ICAQAIJnbFpFBrVcEUbRboXeX9mmfdyjeL
dnntSb0D7M9uB4yPanS71Ya2QofKm+LiVOFzSEX8qFwafvvoQ/oWa4Ln1Fr5HpXO
9T1mDQ7dPZEinmstesr9L0lr2RYbA8tdYaxd9gxOVoR+5EnS+pKjYC7KRTrH39Xa
q41l745CzoXvLz+QYIMvRTwZ9zdQw9B/sPAY/T83tH6C+fu6evosvQDI2V6HMQDz
9cFL9G+NDLryWNfhRXcvPKy4foGytcD4cP+GugUVop+UsKf2yueU7h+H/fYtgkW3
Hnl8Xb+YhlGq/GsX4yh1ZBuny2aDAahT4cJQAFzZcT6l4MmAaqJZxaNbhWPJmCy6
u1891JWVGaOtihI3VhN5Rhmr+JGVM6J2aT+3DVYtThlcoxCsvdMGIFgOhXkCeOHx
cK3AnOVvBcSZIrkzZMdp2BGlIqpVayyEvdonunODs4tgiQoLPxLXZ8cK8aZNDQCh
atsOim8xXlPxJkz0CN03N3gnbFAlN7TBxvE2olJFh1eewWkliTSX8m+y7RBa1eFS
rNrFx8AdeueTCYd2k/8DKAd4YgUQH5RRhEFVa515sjZDk3EQrfNasttDT+25bSW+
FTewuajJAwxFGKIJ5bg2ecou9YGH3RgnxNYNFhbz6hZbGvX1/5A+4/8jN0k21K/i
V/+5F0tMh3mcgQ==
-----END CERTIFICATE-----
$ openssl x509 -in all_points_broadband_intermediate_ca_1.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:94:f6:c1:85:82:dc:1d:43:5f:5d:7a:85:94:96:7c:aa:f7:56:de
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=US, O=All Points Broadband, CN=All Points Broadband Root CA 1
        Validity
            Not Before: Aug  5 14:23:00 2016 GMT
            Not After : Aug  5 10:23:00 2036 GMT
        Subject: C=US, O=All Points Broadband, CN=All Points Broadband Intermediate CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c4:fd:f1:dc:f2:97:4b:13:6b:78:6b:9b:92:72:
                    27:d6:98:a3:77:50:06:e0:cd:b2:9c:a7:83:10:18:
                    9a:7d:8b:a5:8d:4e:47:60:0a:6f:35:c4:02:fa:c3:
                    92:de:31:c1:ce:63:24:4f:48:d4:57:58:76:3d:c4:
                    6e:47:c2:26:7e:01:d3:48:cf:e1:87:4f:2a:bf:1c:
                    d8:44:ad:46:3f:3c:2c:05:03:fb:4b:af:ac:37:58:
                    f3:2b:5f:ad:ef:c3:93:1c:03:fc:0f:6f:8a:02:c8:
                    66:86:8b:1e:04:09:e2:6e:94:23:51:84:78:76:05:
                    47:43:7c:7e:09:c7:58:0e:22:d7:22:a9:32:a8:6a:
                    74:78:ad:26:91:47:71:91:77:62:e1:39:b2:29:c8:
                    92:43:04:3d:77:7c:56:7a:89:97:bd:64:fb:e7:34:
                    03:10:f7:da:7e:4c:c1:aa:36:3d:69:95:67:50:a5:
                    0c:73:bf:81:61:eb:70:bd:4b:6b:e2:5d:20:52:67:
                    96:ae:d1:e6:17:ad:82:80:6b:26:c5:7e:1d:d3:aa:
                    ca:09:75:95:e3:f5:e6:f3:f9:52:de:86:63:b7:77:
                    76:1a:0d:22:ae:f0:28:eb:93:b2:87:c2:b6:7f:38:
                    d9:32:7a:84:98:7e:8e:6f:cc:cb:e6:85:31:09:6e:
                    96:80:5d:e1:86:ba:98:7a:43:bc:bf:69:68:84:38:
                    87:63:a9:8e:f6:b2:58:9b:1f:47:c0:d5:e4:4a:87:
                    f0:d1:d1:e6:8f:a5:35:38:f0:f0:cb:a4:d2:8d:0c:
                    8f:52:e1:b6:6d:dc:3e:aa:df:61:56:fe:2b:8b:54:
                    81:3e:eb:28:4e:09:7f:2d:e0:bc:b8:5a:8b:59:fd:
                    e1:71:c3:e2:d4:95:92:20:53:34:22:bd:bd:cc:9f:
                    75:35:80:38:df:de:21:3b:71:ca:0c:8e:60:4b:79:
                    f4:92:6c:4f:a5:59:cb:0b:bd:9e:94:01:d1:5e:cd:
                    3b:97:da:0f:a2:8f:91:33:e2:f6:01:68:b4:2c:88:
                    66:30:70:37:a0:57:e8:4e:78:8f:7f:c8:bf:a5:a6:
                    d0:8b:6a:10:b5:f3:03:db:80:c9:31:6d:11:81:ed:
                    14:c4:36:69:65:c2:b5:35:b5:24:47:0f:b2:2d:a1:
                    ce:ec:08:e9:76:71:c1:29:99:87:35:89:75:3e:7b:
                    29:ad:11:b2:75:7c:7b:c8:53:d1:bf:7b:86:9d:f2:
                    ad:e1:79:5c:fe:a8:34:90:11:0e:f1:46:bf:62:cc:
                    91:02:79:1c:d7:72:b8:44:97:ba:b5:07:d6:b0:85:
                    53:e0:34:51:a0:ae:a4:0b:26:b0:4c:e6:20:9d:ce:
                    eb:06:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier:
                A0:24:D9:73:A9:06:F2:2A:E1:0A:FB:5D:EC:40:AC:9F:45:7F:D4:8D
            X509v3 Authority Key Identifier:
                keyid:A0:F9:60:38:52:E4:6D:9F:1B:51:A4:D7:F5:39:83:CA:08:E9:87:23
Signature Algorithm: sha512WithRSAEncryption
     08:26:76:c5:a4:50:6b:55:c1:14:6d:16:e8:5d:e5:fd:9a:67:
     dd:ca:37:8b:76:79:ed:49:bd:03:ec:cf:6e:07:8c:8f:6a:74:
     bb:d5:86:b6:42:87:ca:9b:e2:e2:54:e1:73:48:45:fc:a8:5c:
     1a:7e:fb:e8:43:fa:16:6b:82:e7:d4:5a:f9:1e:95:ce:f5:3d:
     66:0d:0e:dd:3d:91:22:9e:6b:2d:7a:ca:fd:2f:49:6b:d9:16:
     1b:03:cb:5d:61:ac:5d:f6:0c:4e:56:84:7e:e4:49:d2:fa:92:
     a3:60:2e:ca:45:3a:c7:df:d5:da:ab:8d:65:ef:8e:42:ce:85:
     ef:2f:3f:90:60:83:2f:45:3c:19:f7:37:50:c3:d0:7f:b0:f0:
     18:fd:3f:37:b4:7e:82:f9:fb:ba:7a:fa:2c:bd:00:c8:d9:5e:
     87:31:00:f3:f5:c1:4b:f4:6f:8d:0c:ba:f2:58:d7:e1:45:77:
     2f:3c:ac:b8:7e:81:b2:b5:c0:f8:70:ff:86:ba:05:15:a2:9f:
     94:b0:a7:f6:ca:e7:94:ee:1f:87:fd:f6:2d:82:45:b7:1e:79:
     7c:5d:bf:98:86:51:aa:fc:6b:17:e3:28:75:64:1b:a7:cb:66:
     83:01:a8:53:e1:c2:50:00:5c:d9:71:3e:a5:e0:c9:80:6a:a2:
     59:c5:a3:5b:85:63:c9:98:2c:ba:bb:5f:3d:d4:95:95:19:a3:
     ad:8a:12:37:56:13:79:46:19:ab:f8:91:95:33:a2:76:69:3f:
     b7:0d:56:2d:4e:19:5c:a3:10:ac:bd:d3:06:20:58:0e:85:79:
     02:78:e1:f1:70:ad:c0:9c:e5:6f:05:c4:99:22:b9:33:64:c7:
     69:d8:11:a5:22:aa:55:6b:2c:84:bd:da:27:ba:73:83:b3:8b:
     60:89:0a:0b:3f:12:d7:67:c7:0a:f1:a6:4d:0d:00:a1:6a:db:
     0e:8a:6f:31:5e:53:f1:26:4c:f4:08:dd:37:37:78:27:6c:50:
     25:37:b4:c1:c6:f1:36:a2:52:45:87:57:9e:c1:69:25:89:34:
     97:f2:6f:b2:ed:10:5a:d5:e1:52:ac:da:c5:c7:c0:1d:7a:e7:
     93:09:87:76:93:ff:03:28:07:78:62:05:10:1f:94:51:84:41:
     55:6b:9d:79:b2:36:43:93:71:10:ad:f3:5a:b2:db:43:4f:ed:
     b9:6d:25:be:15:37:b0:b9:a8:c9:03:0c:45:18:a2:09:e5:b8:
     36:79:ca:2e:f5:81:87:dd:18:27:c4:d6:0d:16:16:f3:ea:16:
     5b:1a:f5:f5:ff:90:3e:e3:ff:23:37:49:36:d4:af:e2:57:ff:
     b9:17:4b:4c:87:79:9c:81</pre>

If I just have one RADIUS server, then I should simply be able to import only the server's certificate, right? I only need to import a signing cert if I might be talking to one of a pair of RADIUS servers who each have their own certificates. Isn't that correct?

Hi,

As per current design you have to include complete chain of cert, and not just intermediate certificate.
Please try by adding Root CA as well to intermediate CA cert and then upload.

I think I'm getting closer. I deleted both default certs. Then uploaded a certificate file that contains the root and the intermediate certs in PEM format, called 'chain.pem'. I click 'Import Certificate', and the display shows a few asterisks, then "Uploaded File" and "Done Receiving File". The 'Import Certificate' button text changes to 'chain.pem'. I wait a little more and the page refreshes but there's a quick flash of a message "Error: File bigger than max size". I click "Save Changes" , then "Reboot". After reboot, the default certificates are still there. I have included my cert chain below.

-----BEGIN CERTIFICATE-----
MIIFnjCCA4agAwIBAgIUeVzSnM5DYi4hCiq/sIdVGJUQU7gwDQYJKoZIhvcNAQEN
BQAwVTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFsbCBQb2ludHMgQnJvYWRiYW5k
MScwJQYDVQQDEx5BbGwgUG9pbnRzIEJyb2FkYmFuZCBSb290IENBIDEwHhcNMTYw
ODA1MTQyMzAwWhcNMzYwODA1MTAyMzAwWjBVMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUQWxsIFBvaW50cyBCcm9hZGJhbmQxJzAlBgNVBAMTHkFsbCBQb2ludHMgQnJv
YWRiYW5kIFJvb3QgQ0EgMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AJ4C0FYMWrpzOzubJm0AzbbBMjR5gqEyTp5s3LDHeMCoC2+WX0n3gEqaD/p8Fy02
FwV10iy3COElClCfaoLU8FE0isqc9Nr+deVb/bvMEgbEsJCjiLahmuYt/JAZemqy
PyfDUXILZieTYEjDiap2rgJSqF5V9wX6KXylkbPKDbRamzZFQOrsspiBnsbAoGQs
avuCmTS1ilX5S1UqEboidZq5WjUlOoMiptDpvE7FpAT7kYSDuG/XfRvR/nkLaEMl
xCPn9OZ3tXMgwMzmIAkLw6q7J5C9RAozEBqufb6K2Da5EmFSEguj1wK+FbZw6zYv
jKgyYoRsIGJKK10HmGBP7dj8gMa4TxE2EP3Ifgmdlic1gd5Trs7kgSMxocxHKvSj
wvQbw3P9rY9Ie9kV7DIXMNIUJ3o5V0HjyyjEggcyE0lxValRULqD9XfjxkTdFfTZ
uN6L/0kSnJ746asMg+LXgytq9RgqMXScZvHIkqaNEHJHgZ2ZqZfiEY7XG8WZrgKr
semD6XGRCFoMWIP85PgnvOSvPKlTGYXKp2UsWkf4H6dfiNMId1bnKbNvveZ/G2lI
0f/9JpaHCY1zZQC8DmPZf84UZxi+3GV4StGOcN6RXrRch19l/BBTGIOt+genUyti
697Wof37hHlffCi8fS4iKcVKBD8TuKaglly7I/bapbnrAgMBAAGjZjBkMA4GA1Ud
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSg+WA4UuRt
nxtRpNf1OYPKCOmHIzAfBgNVHSMEGDAWgBSg+WA4UuRtnxtRpNf1OYPKCOmHIzAN
BgkqhkiG9w0BAQ0FAAOCAgEAl5O9Fig6rgCNLU0Vkmg17IUB5CFtveCo3BWgC7BB
1ZUri5EvmLO43ODPv1WUC/bCTc/4xZs+d4/sJ6NQ1manm2XxGNMgQOeNKGwk/1Lt
jfR23MkN3G4FHrNeDduasqBRhj9pIYpAvTPgIYIiBGCf290dVl9XkUkJTxO1gI36
qnrjU4amF57A2O6hRWlbIZn2uTlXtNEB2wZY/iTD9QQCRs6V7Kk6Ock4IeidNI+o
0BgZ2AgnoXMsexugm0f1aT2dVCMCfNgIY3j8AZ0te9mgBsDJ4woJzuxNpjEfjLJX
82tBusrb3g8sNpYNXhSDkEpnGN6M+dBvrzlF3fTt8HCWT5d6M/Ds3b6sIx1kVDE6
G31KmUmd3et380G0NgBFyd3Qzsi2574ooMZHiUVpmSGDo3smrZtzHeGCpKD4Tidr
y2q3pcuS9trpD65l4D0s4EzR7eQmeJu33LGT7SzBpDDpO2bmO8cJS7FMDYC6tKce
ahEkcNQL59i0l9eTM4B3PSxbRwc4d2pcwkG+YotkNm1aFO+tuxXRXYaupKLDU5MS
scH8V9RzBQD/Vi9J5U1+SbyoruXgkG9YMkGbpoUg3tdP3e43AtghVjK4VZpRlUSS
wQYzEy2mvcs8/Z1YpP/NcyH0RUnFqmK+F9Nq6tlUcr4zjYjVEbKXjQlbnoJctE44
5uY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFpjCCA46gAwIBAgIUbpT2wYWC3B1DX116hZSWfKr3Vt4wDQYJKoZIhvcNAQEN
BQAwVTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFsbCBQb2ludHMgQnJvYWRiYW5k
MScwJQYDVQQDEx5BbGwgUG9pbnRzIEJyb2FkYmFuZCBSb290IENBIDEwHhcNMTYw
ODA1MTQyMzAwWhcNMzYwODA1MTAyMzAwWjBdMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUQWxsIFBvaW50cyBCcm9hZGJhbmQxLzAtBgNVBAMTJkFsbCBQb2ludHMgQnJv
YWRiYW5kIEludGVybWVkaWF0ZSBDQSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAxP3x3PKXSxNreGubknIn1pijd1AG4M2ynKeDEBiafYuljU5HYApv
NcQC+sOS3jHBzmMkT0jUV1h2PcRuR8ImfgHTSM/hh08qvxzYRK1GPzwsBQP7S6+s
N1jzK1+t78OTHAP8D2+KAshmhoseBAnibpQjUYR4dgVHQ3x+CcdYDiLXIqkyqGp0
eK0mkUdxkXdi4TmyKciSQwQ9d3xWeomXvWT75zQDEPfafkzBqjY9aZVnUKUMc7+B
YetwvUtr4l0gUmeWrtHmF62CgGsmxX4d06rKCXWV4/Xm8/lS3oZjt3d2Gg0irvAo
65Oyh8K2fzjZMnqEmH6Ob8zL5oUxCW6WgF3hhrqYekO8v2lohDiHY6mO9rJYmx9H
wNXkSofw0dHmj6U1OPDwy6TSjQyPUuG2bdw+qt9hVv4ri1SBPusoTgl/LeC8uFqL
Wf3hccPi1JWSIFM0Ir29zJ91NYA4394hO3HKDI5gS3n0kmxPpVnLC72elAHRXs07
l9oPoo+RM+L2AWi0LIhmMHA3oFfoTniPf8i/pabQi2oQtfMD24DJMW0Rge0UxDZp
ZcK1NbUkRw+yLaHO7AjpdnHBKZmHNYl1PnsprRGydXx7yFPRv3uGnfKt4Xlc/qg0
kBEO8Ua/YsyRAnkc13K4RJe6tQfWsIVT4DRRoK6kCyawTOYgnc7rBtECAwEAAaNm
MGQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
FKAk2XOpBvIq4Qr7XexArJ9Ff9SNMB8GA1UdIwQYMBaAFKD5YDhS5G2fG1Gk1/U5
g8oI6YcjMA0GCSqGSIb3DQEBDQUAA4ICAQAIJnbFpFBrVcEUbRboXeX9mmfdyjeL
dnntSb0D7M9uB4yPanS71Ya2QofKm+LiVOFzSEX8qFwafvvoQ/oWa4Ln1Fr5HpXO
9T1mDQ7dPZEinmstesr9L0lr2RYbA8tdYaxd9gxOVoR+5EnS+pKjYC7KRTrH39Xa
q41l745CzoXvLz+QYIMvRTwZ9zdQw9B/sPAY/T83tH6C+fu6evosvQDI2V6HMQDz
9cFL9G+NDLryWNfhRXcvPKy4foGytcD4cP+GugUVop+UsKf2yueU7h+H/fYtgkW3
Hnl8Xb+YhlGq/GsX4yh1ZBuny2aDAahT4cJQAFzZcT6l4MmAaqJZxaNbhWPJmCy6
u1891JWVGaOtihI3VhN5Rhmr+JGVM6J2aT+3DVYtThlcoxCsvdMGIFgOhXkCeOHx
cK3AnOVvBcSZIrkzZMdp2BGlIqpVayyEvdonunODs4tgiQoLPxLXZ8cK8aZNDQCh
atsOim8xXlPxJkz0CN03N3gnbFAlN7TBxvE2olJFh1eewWkliTSX8m+y7RBa1eFS
rNrFx8AdeueTCYd2k/8DKAd4YgUQH5RRhEFVa515sjZDk3EQrfNasttDT+25bSW+
FTewuajJAwxFGKIJ5bg2ecou9YGH3RgnxNYNFhbz6hZbGvX1/5A+4/8jN0k21K/i
V/+5F0tMh3mcgQ==
-----END CERTIFICATE-----

Also, we've upgraded this testing AP to 16.1

Maximum allowed size is 2560 bytes.

Can you try only uplaoding Root CA ?

Thanks,

Chitrang

When I import just the self-signed root cert, I get the asterisks, then "Uploaded file" and "Error opening file". Do you get something different with my certs?

Looks like there might be a filename length restriction on the certificate filename. When I renamed the root cert to "chain.pem" then the import worked successfully.

1 Like

Ok. Root certificate has been imported. When I then import the intermediate, I get a flash of an error, "Cannot save file because it failed verification." I even imported the root, then rebooted and tried to import the intermediate. Both certs are included in an earlier comment.

Hi,

I am looking at how can we fix this.

Either increase size so that complete chain can be imported.

Or Allow import of itermediate CA certs.

Will update you.

Thanks

Hi,

Can you check the following:

1. Import Root CA only to the SM. their is no need of intermediate CA certs to be uploaded.

2.On your RADIUS server send complete chain i.e. Intermediate CA + Root CA for e.g. chain.pem

If you are using freeradius you have to add chain.pem in TLS CA_file section of eap.conf 

Server certificate signed by this intermediate CA & Server Key should also be configured.

3. After this restart radius server and see if SM get authenticated or not , I tested these steps are it works for me.

So in short their is no need to import intermediate CA as all we store is trusted CA.

1 Like

That appears to work. Thanks for working through it for me.