When using EAP-TLS as the only method in freeradius, is there a way to define a list of allowed users, perhaps by the CN on their client certificate?

I want it so that not *everyone* who has a certificate signed by the CA list can authenticate, but rather a select few (of which I know the CN of their certificates).

Thanks...
Stephen