EAP-TLS: Same cert, multiple servers and locations?

Sylvain Munaut s.munaut at whatever-company.com
Sat May 7 18:43:33 CEST 2016


> ??? You can do that when using the same server CN. On clients configure to
> trust your CA and the one CN of server. Multiple server CNs is what the
> original requester wanted to avoid - and wildcard CN entries can be
> problematic

Multiple server CN is what the OP requested to avoid because he wanted
to roam between sites with a single config and he includes the server
CN in that config (at least that's my understanding).

What I'm pointing out is that you can still achieve roaming with a
single config even if your server don't have the same CN.

Apple clients allow to lock on the cert issuer instead of the cert
itself and so does wpa_supplicant. I can't speak for every EAP-TLS
client of course, but this seems to be a pretty common option.



More information about the Freeradius-Users mailing list