diff -ur freeradius-1.1.3.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c freeradius-1.1.3/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
--- freeradius-1.1.3.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-08-23 04:20:41.000000000 +1200
+++ freeradius-1.1.3/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-09-22 14:36:57.000000000 +1200
@@ -68,6 +68,8 @@
 	  offsetof(EAP_TLS_CONF, cipher_list), NULL, NULL},
 	{ "check_cert_issuer", PW_TYPE_STRING_PTR,
 	  offsetof(EAP_TLS_CONF, check_cert_issuer), NULL, NULL},
+	{ "require_client_cert", PW_TYPE_BOOLEAN,
+	  offsetof(EAP_TLS_CONF, require_client_cert), NULL, "no" },
 
  	{ NULL, -1, 0, NULL, NULL }           /* end the list */
 };
@@ -565,9 +567,8 @@
 
 	/*
 	 *	If we're TTLS or PEAP, then do NOT require a client
-	 *	certificate.
-	 *
-	 *	FIXME: This should be more configurable.
+	 *	certificate unless require_client_cert has been explicitly
+	 *	set in the configuration file.
 	 */
 	if (handler->eap_type != PW_EAP_TLS) {
 		vp = pairfind(handler->request->config_items,
@@ -577,6 +578,8 @@
 		} else {
 			client_cert = vp->lvalue;
 		}
+		/* Allow client certificates to be explicitly required */
+		client_cert |= inst->conf->require_client_cert;
 	}
 
 	/*
diff -ur freeradius-1.1.3.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h freeradius-1.1.3/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
--- freeradius-1.1.3.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h	2006-04-29 06:18:58.000000000 +1200
+++ freeradius-1.1.3/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h	2006-09-22 13:45:37.000000000 +1200
@@ -54,6 +54,7 @@
 	char		*check_cert_cn;
 	char		*cipher_list;
 	char		*check_cert_issuer;
+	int			require_client_cert;
 } EAP_TLS_CONF;
 
 /* This structure gets stored in arg */