WPA Certificate Question
Mike Diggins
mike.diggins at mcmaster.ca
Sun Jan 31 19:52:33 CET 2010
On Sun, 31 Jan 2010, Alan Buxey wrote:
> Hi,
>
>> In the Windows WPA setup screen, Protected EAP Properties, there are
>> options to "Validate server certificate", and "Connect to these servers".
>> Do I specify my two Radius servers there? My clients don't have direct
>> access to my Radius servers, so what actually happens when I enter them
>> here? Does it just compare the FQDN to the one on the certificate that is
>> presented during the login?
>
> your 2 radius servers can have the same cert, there is no issue
> there (eg radius.my.org) - dont forget, this is all pre-network stuff
> so no DNS is involved.
>
> and yes, the value entered in that part is a string match to the
> name in the certificate sent via the RADIUS server.
>
> some supplicants easily let you enter more than one RADIUS server name,
> use multiple certs etc....
Ok, so I could just establish a certificate for a single host name, apply
that same certificate to all my FreeRadius servers, and in that "Connect
to these servers" client field, just enter the 'common name' entered on
the certificate? I wonder if a wildcard cert would work for this. As in
*.myorg.ca, then entering *.myorg.ca for client servers field. Just asking
because I have one of those.
In the README file there is this warning:
"You will have to ensure that the certificate contains the XP
extensions needed by Microsoft clients."
But I can't find any further information about it. How do I ensure my
certificate has these extensions? Would a CA signed cert have this?
-Mike
More information about the Freeradius-Users
mailing list