check_cert_cn translation

[kas mataz]

We've noticed several people have posted their eap.conf for eap-tls troubleshooting, and that both the check_cert_issuer and check_cert_cn are commented out. In these configurations is freeradius just checking for the certificate in the crl list and that the proper CA root is in the CA_file on the freeradius server?
 
What is gained by using check_cert_cn? 

When we have check_cert_cn enabled it seems that the User-Name is translated differently from different types of devices. When a test user with an iPhone tries to connect he receives errors, but the same certificate on a Microsoft Vista wireless client is successfully authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation?
 

Fri Oct 24 19:46:58 2008 : Auth: rlm_eap_tls: Certificate CN (Test User (Company 1)) does not match specified value (test.user at company1.com)!
Fri Oct 24 19:46:58 2008 : Error: TLS Alert write:fatal:certificate unknown
Fri Oct 24 19:46:58 2008 : Error:     TLS_accept:error in SSLv3 read client certificate B
Fri Oct 24 19:46:58 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Oct 24 19:46:58 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Fri Oct 24 19:46:58 2008 : Auth: Login incorrect: [test.user at company1.com] (from client tstca-wc-c01 port 29 cli 00-23-6C-5B-1C-23)

Regards,

Kas

_________________________________________________________________
Want to read Hotmail messages in Outlook? The Wordsmiths show you how.
http://windowslive.com/connect/post/wedowindowslive.spaces.live.com-Blog-cns!20EE04FBC541789!167.entry?ocid=TXT_TAGLM_WL_hotmail_092008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081027/40d7002b/attachment.html>