So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.
and if you check your Network RADIUS issued S/MIME certificate. Oh, oh what's that? A subjectAltName with your username as an NAI? Look at that :)
Catfight! ;-) user@example.com.pem in the FreeRADIUS directory yields this: root@debian8:/etc/freeradius/certs# openssl x509 -in user\@example.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.com, CN=Example Certificate Authority Validity Not Before: Apr 28 20:57:32 2016 GMT Not After : Jun 27 20:57:32 2016 GMT Subject: C=FR, ST=Radius, O=Example Inc., CN=user@example.com/emailAddress=user@example.com Subject Public Key Info: [trimmed] X509v3 extensions: [trimmed] Signature Algorithm: sha256WithRSAEncryption [trimmed] There the Subject CN contains... a NAI? ;-) Is that standards-compliant? Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.