freeradius, samba, AD peap/mschap-v2 redundancy and Certificate

Alan Buxey A.L.M.Buxey at
Wed Sep 15 21:01:10 CEST 2010


> Depends upon how aggressive the client is about validating the cert. The 
> libraries I'm familiar with will take the CN of the subject do a DNS 
> lookup and see if it matches the ip address on the socket. In which case 
> I wouldn't expect the above to work.

...tell me how exactly a host is going to do a DNS lookup
when they have no IP connectivity to the network - this
all happens during the EAP stage - so nothing more than EAPOL
will be working for the client ;-)

certificate tied to an IP address sounds like a very bad idea to me - its
usually a name (or 'DNS entry' in web https world) - and the client validation
is based on a very basic name check.


More information about the Freeradius-Users mailing list