freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
John Dennis
jdennis at redhat.com
Wed Sep 15 20:43:37 CEST 2010
On 09/15/2010 02:21 PM, Alan Buxey wrote:
> Hi,
>
> seems okay
>
>> For certificate, do we need a server certificate for both radius1 and
>> radius2 if we want supplicant to verify the server certificate?
>
> you can use the same server certificate - so that the clients recognise them as the
> same - important if there is to be any failover.... have the CN to be eg radius.yourdomain
Depends upon how aggressive the client is about validating the cert. The
libraries I'm familiar with will take the CN of the subject do a DNS
lookup and see if it matches the ip address on the socket. In which case
I wouldn't expect the above to work.
As Kevin just suggested Subject Alt Names may be a better alternative.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list