When you say client EAP tracing do you mean on the Microsoft side, or is there something you can do on the freeradius side? When I lookup eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, April 15, 2011 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/15/2011 08:42 PM, Casartello, Thomas wrote:
whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names.
This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: """ If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. """ i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html