Troubleshooting EAP-TLS with External Certificates

Alan DeKok aland at
Fri Sep 9 18:53:02 CEST 2016

On Sep 9, 2016, at 12:41 PM, Matthew West <matthew.t.west at> wrote:
> To this, my technical lead on the project said:
> ] Need to look at two things here –
> ] * CRL checks – so that revoked certs do not authenticate
> ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
> It is apparent that he understands the implication of using the
> VeriSign chain as our CA. Is it possible to achieve a cert whitelist,
> say, filter on the e-mail address presented in the certificate?

  Not on the client.

  See the Windows GUI for what's possible.  The short answer is "not much".

> Would that remediate any security concerns, or would that still leave
> room for abuse?

  You probably can't do it, which means it doesn't help.

  Alan DeKok.

More information about the Freeradius-Users mailing list