For TLS-based EAP types, such as TLS, TTLS, and PEAP, and where CRL checking has been enabled with EAPTLS_CRLCheck, this optional parameter specifies one or more CRL files that are used to check client certificates for revocation. These files are also used when EAPTLS_CRLCheckAll is enabled. Special characters are supported.

If a CRL file is not found, or if the CRL says the certificate has been revoked, TLS authentication will fail with an error:

To ease automation, CRLs may follow a file naming convention where each CRL file uses a special file name in EAPTLS_CAPath directory. Setting up this directory is described in Section 3.11.3. TLS_CAPath. In this case you do not need to configure EAPTLS_CRLFile.

If CRLs are not stored in the CAPath directory, one or more CRLs can be named with multiple EAPTLS_CRLFile parameters. The intended way CRL reloading works is this: Each CRL file named with EAPTLS_CRLFile will be automatically reloaded and reread at the start of each new EAP-TLS, EAP-TTLS or PEAP session if the modification date of the named CRL file has changed since the last time it was loaded. If the CRL for a particular issuer changes, it is sufficient to replace the existing CRL file with the newer version and Radiator will reload the new CRL when required.

EAPTLS_CRLFile %D/crls/revocations-*.pem