WPA Certificate Question

Mike Diggins mike.diggins at mcmaster.ca
Sun Jan 31 19:52:33 CET 2010


On Sun, 31 Jan 2010, Alan Buxey wrote:

> Hi,
>
>> In the Windows WPA setup screen, Protected EAP Properties, there are
>> options to "Validate server certificate", and "Connect to these servers".
>> Do I specify my two Radius servers there? My clients don't have direct
>> access to my Radius servers, so what actually happens when I enter them
>> here? Does it just compare the FQDN to the one on the certificate that is
>> presented during the login?
>
> your 2 radius servers can have the same cert, there is no issue
> there (eg radius.my.org) - dont forget, this is all pre-network stuff
> so no DNS is involved.
>
> and yes, the value entered in that part is a string match to the
> name in the certificate sent via the RADIUS server.
>
> some supplicants easily let you enter more than one RADIUS server name,
> use multiple certs etc....

Ok, so I could just establish a certificate for a single host name, apply 
that same certificate to all my FreeRadius servers, and in that "Connect 
to these servers" client field, just enter the 'common name' entered on 
the certificate? I wonder if a wildcard cert would work for this. As in 
*.myorg.ca, then entering *.myorg.ca for client servers field. Just asking 
because I have one of those.

In the README file there is this warning:

 	"You will have to ensure that the certificate contains the XP
 	extensions needed by Microsoft clients."

But I can't find any further information about it. How do I ensure my 
certificate has these extensions? Would a CA signed cert have this?


-Mike



More information about the Freeradius-Users mailing list