TTLS+PAP with Windows

Michael Ströder michael at
Wed Mar 15 19:24:11 CET 2017

Bjørn Mork wrote:
> Herman Øie Kolden <herman at> writes:
>> On Tue, Mar 14, 2017 at 07:12:28PM -0400, Alan DeKok wrote:
>>>   I don't recommend using public CAs for WiFi authentication.  It's insecure.
>> Interesting. Would you mind explaining why? 
> /usr/share/doc/freeradius/examples/certs/README in the Debian package
> says
>       In general, you should use self-signed certificates for 802.1x
>     (EAP) authentication.  When you list root CAs from other
>     organizations in the "CA_file", you permit them to masquerade as
>     you, to authenticate your users, and to issue client certificates
>     for EAP-TLS.

Strictly speaking a self-signed certificate is a public-key certificate signed by the
private key of the very same key pair (and not by another entity's private key).

So while I fully agree with the statement above the term "self-signed certificate" is
wrong. It should clearly say that you should run your own single-purpose EAP CA and
distribute the EAP CA's public-key certificate in all your client configurations.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list