The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN "radius@example.com" should be sent logins for "user@example.com", but NEVER sent logins for "user@example.net"
How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. "Cru" is a child of "umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 03, 2010 1:13 PM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating John Dennis wrote:
On 08/03/2010 01:30 PM, Alan DeKok wrote:
Using a known root CA for RADIUS authentication isn't really recommended.
Why?
P.S. just to clarify, it's not "using a known root CA for RADIUS authentication", rather it's using a server cert signed by a known root CA.
Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username && login via EAP to the rogue AP. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN "radius@example.com" should be sent logins for "user@example.com", but NEVER sent logins for "user@example.net" You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html