TTLS+PAP with Windows

Bjørn Mork bjorn at
Wed Mar 15 09:53:39 CET 2017

Herman Øie Kolden <herman at> writes:
> On Tue, Mar 14, 2017 at 07:12:28PM -0400, Alan DeKok wrote:
>>   I don't recommend using public CAs for WiFi authentication.  It's insecure.
> Interesting. Would you mind explaining why? 

/usr/share/doc/freeradius/examples/certs/README in the Debian package

      In general, you should use self-signed certificates for 802.1x
    (EAP) authentication.  When you list root CAs from other
    organizations in the "CA_file", you permit them to masquerade as
    you, to authenticate your users, and to issue client certificates
    for EAP-TLS.


More information about the Freeradius-Users mailing list