How to avoid EAP-TLS login on commercial CA's?

Alan DeKok aland at
Thu Jun 29 17:10:00 CEST 2017

On Jun 29, 2017, at 11:00 AM, Ramon Escriba <escriba at> wrote:
> We're planning to use EAP-TTLS with a commercial certificate on
> freeradius-3.0.4.
> But, there's any simple way to forbid globally any CA 'valid client
> certificate', a part of not using the commercial CA??

  You can disable the "tls" sub-module in EAP.  See raddb/mods-available/eap.

  They can still use client certificates with PEAP or TTLS, but you will still be checking passwords, so that doesn't matter as much.

  Alan DeKok.

More information about the Freeradius-Users mailing list