How to avoid EAP-TLS login on commercial CA's?

Ramon Escriba escriba at
Thu Jun 29 17:00:58 CEST 2017

Hello FreeRadius masters,

We're planning to use EAP-TTLS with a commercial certificate on

We do not want any "client certificate" signed by this commercial big CA to
log in.


Of course, I saw the warning:




        #  Note that you should NOT use a globally known CA here!

        #  e.g. using a Verisign cert as a "known CA" means that

        #  ANYONE who has a certificate signed by them can

        #  authenticate via EAP-TLS!  This is likely not what you want.


But, there's any simple way to forbid globally any CA 'valid client
certificate', a part of not using the commercial CA??




More information about the Freeradius-Users mailing list