Hi Aaron, Thanks a lot for the clarification. In my case, the environment is fully BYOD, so unfortunately I can’t rely on MDM or any manual installation of CA/intermediate certificates on the users’ devices. Because of that, I’m trying to achieve a setup where iOS devices automatically trust the RADIUS certificate during 802.1X onboarding without requiring any user interaction. That’s why I wanted to confirm whether PacketFence can be configured to automatically serve the complete Let’s Encrypt chain (leaf + intermediate + root) during the EAP handshake. If PF already builds and sends the full chain by default, then I may need to verify why iOS is still classifying the certificate as “Not Trusted.” Is there any way within PacketFence to ensure the full chain is always included during RADIUS authentication specifically for BYOD onboarding? Or any recommended configuration to avoid iOS trust warnings when no MDM is involved? Any guidance would be greatly appreciated. Best regards, Abdlmalik
________________________________ From: Aaron Zuercher via PacketFence-users <[email protected]> Sent: Thursday, November 20, 2025 10:42 PM To: [email protected] <[email protected]> Cc: Aaron Zuercher <[email protected]> Subject: Re: [PacketFence-users] iOS Not Trusting RADIUS Certificate (Let’s Encrypt Chain Issue – PF 14.1) Hello, we are on PF 13.2 still but if you goto Configuration > SSL Certificates and Radius tab you will see the full chain of LE certs including CA and Intermediate certs. Also PF will auto-renew the certs monthly. We deliver all the necessary certs to our apple devices via MDM. Aaron On Sat, Nov 8, 2025 at 9:41 AM Abdlmalek Luttei via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: Hi all, After setting up 802.1X on a new SSID (PacketFence 14.1, Let’s Encrypt cert), my iPhone sees the RADIUS cert but flags it as Not Trusted. I double-checked I’m using the right cert. It looks like FreeRADIUS isn’t sending the full chain during EAP (leaf + intermediate), so iOS can’t validate it. Questions: 1. Is there a GUI path in PF to make RADIUS serve the full chain? (Exact menu/fields would help.) 2. If this has to be done manually, which files should I point RADIUS to (fullchain vs cert, CA bundle, etc.), and which service(s) should I reload after changes? 3. For renewals with Let’s Encrypt, what’s the recommended way to keep RADIUS picking up the new full chain automatically? (e.g., a post-renew hook, symlink, and the right reload command?) Thanks in advance for any pointers or examples. Best, Abdlmalik _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
