freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
James J J Hooper
jjj.hooper at bristol.ac.uk
Wed Sep 15 20:50:40 CEST 2010
On 15/09/2010 19:43, John Dennis wrote:
> On 09/15/2010 02:21 PM, Alan Buxey wrote:
>> Hi,
>>
>> seems okay
>>
>>> For certificate, do we need a server certificate for both radius1 and
>>> radius2 if we want supplicant to verify the server certificate?
>>
>> you can use the same server certificate - so that the clients recognise
>> them as the
>> same - important if there is to be any failover.... have the CN to be eg
>> radius.yourdomain
>
> Depends upon how aggressive the client is about validating the cert. The
> libraries I'm familiar with will take the CN of the subject do a DNS
> lookup and see if it matches the ip address on the socket. In which case I
> wouldn't expect the above to work.
Context folks! - You are authenticating your network connection, there is
no DNS at this point... and even if there was the NAS doesn't "have an
IP", it's an EAPoL transaction.
Alan B is correct - use exactly the same certificate on the two servers.
-James
More information about the Freeradius-Users
mailing list