Hello.
I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We’ve recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered
by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities
checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that
has the server name as a subject alternative name as it is not covered by the wild card common name we are using – I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does
802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our
web applications.
Tom
Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State University
(413) 572-8245
Red Hat Certified Technician (RHCT)
Cisco Certified Network Associate (CCNA)