Reimer Karlsen-Masur, DFN-CERT wrote:
Actually we were talking about server side config.
Yes. The server has been updated simplify configurations without EAP-TLS, and to document the issues involved in certificates.
Looking at the supplicant, the user strongly should enter a fully qualified name of the radius server he is expecting his authN is checked against and he strongly should make sure that his supplicant is checking hard that this FQDN matches the CN of the RADIUS server cert. Usually there is some checkbox/option to enable that behavior.
I don't recall seeing that, to be honest. wpa_supplicant doesn't have that, and Windows doesn't have it. They both have a "validate server certificate" checkbox, but that only checks the CA chain, NOT the CN. Alan DeKok.