Goodday, In my FreeRadius setup for authenticating WiFi devices with EAP-TLS, I use server- and client SSL certificates from CA provider ' X '. I understand that now everyone with knowledge of this fact, can get a client SSL cert (PKCS#12) from this CA provider X and can authenticate with my WPA2 Enterprise network. After reading the following from the README: "In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organisations in the "ca_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS." I would like to ask the following question. Is there something I can configure on the server side that only certain CommonName's and/or serial's can be used to authenticate correctly? Next to this question, I wonder why also a username (Benutzername) is asked in iOS when we use EAP-TLS with a certificate? I can fill out this field with whatever string and it authenticates in FreeRadius (when a correct cert is presented of course). screenshot: https://hilfe.uni-paderborn.de/images/thumb/4/4f/Eduroam_iOS7_04.png/250px-E... I run version 3.0.11 on Ubuntu 14.04 LTS 64bit. Thank you