freeradius, samba, AD peap/mschap-v2 redundancy and Certificate

James J J Hooper jjj.hooper at
Wed Sep 15 20:50:40 CEST 2010

On 15/09/2010 19:43, John Dennis wrote:
> On 09/15/2010 02:21 PM, Alan Buxey wrote:
>> Hi,
>> seems okay
>>> For certificate, do we need a server certificate for both radius1 and
>>> radius2 if we want supplicant to verify the server certificate?
>> you can use the same server certificate - so that the clients recognise
>> them as the
>> same - important if there is to be any failover.... have the CN to be eg
>> radius.yourdomain
> Depends upon how aggressive the client is about validating the cert. The
> libraries I'm familiar with will take the CN of the subject do a DNS
> lookup and see if it matches the ip address on the socket. In which case I
> wouldn't expect the above to work.

Context folks! - You are authenticating your network connection, there is 
no DNS at this point... and even if there was the NAS doesn't "have an 
IP", it's an EAPoL transaction.

Alan B is correct - use exactly the same certificate on the two servers.


More information about the Freeradius-Users mailing list