TTLS+PAP with Windows

Bjørn Mork bjorn at
Wed Mar 15 11:13:51 CET 2017

Herman Øie Kolden <herman at> writes:
> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>> In general, you should use self-signed certificates for 802.1x (EAP)
>> authentication. When you list root CAs from other organizations in the
>> "CA_file", you permit them to masquerade as you, 
> Why is this a concern for EAP, but not for regular web certificates?

I would say it is a concern for web cerificates as well. You cannot
trust them any more than you can trust the long list of public CAs. But
that's another discussion :)

At least you have a name you can match up against the DN or SNI for a
web server.  How can the end user verify your RADIUS server certificate?
Answer: By verifying the issuer.  The DN and SNI are irrelevant, since
the user will not know what they are supposed to be (unless you pin the
certificate, in which case it could just as well be self signed).

If the issuer gives cerificates to anyone, like a public CA will do,
then anyone can impersonate your RADIUS server,


More information about the Freeradius-Users mailing list