Troubleshooting EAP-TLS with External Certificates

Matthew Newton mcn4 at
Fri Sep 9 21:36:25 CEST 2016

On Fri, Sep 09, 2016 at 09:41:17AM -0700, Matthew West wrote:
> To this, my technical lead on the project said:
> ] Need to look at two things here –
> ] * CRL checks – so that revoked certs do not authenticate
> ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
> It is apparent that he understands the implication of using the
> VeriSign chain as our CA. Is it possible to achieve a cert whitelist,
> say, filter on the e-mail address presented in the certificate?

On FreeRADIUS, look at OCSP in mods-available/eap, and
sites-available/check-eap-tls (also in mods-available/eap).

> Would that remediate any security concerns, or would that still leave
> room for abuse?

You can start with a known good secure situation where you have
control over all the variables, and do a little bit more work to
really tighten it down. Or you could start from a know less secure
situation where other people have control over your infrastructure,
and try and patch it up to stop people getting in who shouldn't.

Your choice... but I know which one I'd go for to make sure access
to my network was secure.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list