diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index 2ba0b9e4..81e32b3c 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -217,7 +217,12 @@ static void eap_tls_tunnel_ready(const char *peer_identity, void *user_data)
 	struct eap_state *eap = user_data;
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
 
-	/* TODO: if we have a CA certificate require non-NULL peer_identity */
+	if (eap_tls->ca_cert && !peer_identity) {
+		l_error("%s: TLS did not verify AP identity",
+			eap_get_method_name(eap));
+		eap_method_error(eap);
+		return;
+	}
 
 	/*
 	 * Since authenticator may not send us EAP-Success/EAP-Failure
diff --git a/src/eap-tls.c b/src/eap-tls.c
index 3233ae35..88b26f61 100644
--- a/src/eap-tls.c
+++ b/src/eap-tls.c
@@ -39,8 +39,6 @@ static bool eap_tls_tunnel_ready(struct eap_state *eap,
 	uint8_t msk_emsk[128];
 	uint8_t iv[64];
 
-	/* TODO: if we have a CA certificate require non-NULL peer_identity */
-
 	eap_method_success(eap);
 	eap_tls_common_set_completed(eap);