eap-tls with valid and fake certificates.

Matthew Newton mcn at freeradius.org
Fri Dec 27 23:41:43 CET 2019

On Fri, 2019-12-27 at 17:47 +0100, codythejack wrote:
> Hello !  The Idea is to authenticate users with eap-tls with
> certficates. People without any certificate should use different vlan
> provided by Radius. Only supported authentication should be eap-
> tls.  Is it possible to make authentication with eap-tls with
> certficates for valid users and some "guest vlan" for users
> which hasnt any or unknown certificates ?

It's not possible. If the device doesn't present a valid certificate,
it won't authenticate. You can't force an "Accept" with EAP methods.

You will need to use a different method to handle guest accounts. If
you want to use EAP-TLS only you will have to issue certificates to


More information about the Freeradius-Users mailing list