EAP TLS Authentication - Understanding Method Details

I'd like to have a better understanding of the Method Details for EAP-TLS.  Specifically, these options:


  • Authorization required

    I'm not sure how this differs from checking the authorization box in the Service that I create or if checking this option under EAP-TLS is required for authorization attributes to be pulled auotmatically?

  • Certificate Comparison

    What do I gain by performing a certificate comparison?  All of our user certs are issued automatically by AD.  I want to be sure that as long as the cert hasn't expired or been revoked, and the user's account hasn't been disabled that they'll be authenticated.

  • Verify Certificate using OCSP

    This is for verifying that a certificate hasn't been revoked using OCSP only, right?  Our certs only include a CRL URL so will the validity of the certs not be verified using a CRL?
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: EAP TLS Authentication - Understanding Method Details

i asked the same before and someone else did the same in my thread:


no useful answers unfortunately.

Contributor I

Re: EAP TLS Authentication - Understanding Method Details



  • Authorization required
    You need to untick this option, when you don't want to use an additional Authentication source. The Authentication Sources then wouldn't be used.
    See: Cert only authentication (EAP-TLS)
  •  Certificate Comparison
    If you choose i.e. Common Name (CN) then the certificate common name would be check against the provided common name of the device.
  • Verify Certificate using OCSP
    At this point I don't know to handle CRL, but if you are using OSCP, why not to use this as a validation mechanism?

Hopes this answers are helping someone.


Best regards,




Re: EAP TLS Authentication - Understanding Method Details

thank you for sharing that information Marcel. that is what airheads is about.


as for ocsp / crl i don't believe many systems will check crl urls themselves, that is something the client can do if it wants to. crls are often local anyway, so the clearpass might not be even able to reach it. ocsp is the way to go.



Guru Elite

Re: EAP TLS Authentication - Understanding Method Details


The client does not do any checking unless it is in a browser SSL page. The server checks all the parameters above.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: EAP TLS Authentication - Understanding Method Details

of course, client certificates, so it is the other way around, my bad, thanks for correcting me cjoseph.

Search Airheads
Showing results for 
Search instead for 
Did you mean: