15 Sep
2010
15 Sep
'10
3:01 p.m.
Hi,
Depends upon how aggressive the client is about validating the cert. The libraries I'm familiar with will take the CN of the subject do a DNS lookup and see if it matches the ip address on the socket. In which case I wouldn't expect the above to work.
...tell me how exactly a host is going to do a DNS lookup when they have no IP connectivity to the network - this all happens during the EAP stage - so nothing more than EAPOL will be working for the client ;-) certificate tied to an IP address sounds like a very bad idea to me - its usually a name (or 'DNS entry' in web https world) - and the client validation is based on a very basic name check. alan