How to avoid EAP-TLS login on commercial CA's?

Matthew Newton matthew at
Thu Jun 29 17:08:11 CEST 2017

On Thu, Jun 29, 2017 at 05:00:58PM +0200, Ramon Escriba wrote:
> We're planning to use EAP-TTLS with a commercial certificate on
> freeradius-3.0.4.

Start on 3.0.14, not 3.0.4. It's old and buggy.

> We do not want any "client certificate" signed by this
> commercial big CA to log in.


> But, there's any simple way to forbid globally any CA 'valid client
> certificate', a part of not using the commercial CA??

I assume you mean EAP-TLS as in the subject, not EAP-TTLS.
In which case definitely only use a private CA.

Even if it's EAP-TTLS you should still use a private CA for
security to stop the possibility of credentials being leaked.


More information about the Freeradius-Users mailing list