On Sun, 31 Jan 2010, Alan Buxey wrote:
Hi,
In the Windows WPA setup screen, Protected EAP Properties, there are options to "Validate server certificate", and "Connect to these servers". Do I specify my two Radius servers there? My clients don't have direct access to my Radius servers, so what actually happens when I enter them here? Does it just compare the FQDN to the one on the certificate that is presented during the login?
your 2 radius servers can have the same cert, there is no issue there (eg radius.my.org) - dont forget, this is all pre-network stuff so no DNS is involved.
and yes, the value entered in that part is a string match to the name in the certificate sent via the RADIUS server.
some supplicants easily let you enter more than one RADIUS server name, use multiple certs etc....
Ok, so I could just establish a certificate for a single host name, apply that same certificate to all my FreeRadius servers, and in that "Connect to these servers" client field, just enter the 'common name' entered on the certificate? I wonder if a wildcard cert would work for this. As in *.myorg.ca, then entering *.myorg.ca for client servers field. Just asking because I have one of those. In the README file there is this warning: "You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients." But I can't find any further information about it. How do I ensure my certificate has these extensions? Would a CA signed cert have this? -Mike