freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
A.L.M.Buxey at lboro.ac.uk
Wed Sep 15 21:01:10 CEST 2010
> Depends upon how aggressive the client is about validating the cert. The
> libraries I'm familiar with will take the CN of the subject do a DNS
> lookup and see if it matches the ip address on the socket. In which case
> I wouldn't expect the above to work.
...tell me how exactly a host is going to do a DNS lookup
when they have no IP connectivity to the network - this
all happens during the EAP stage - so nothing more than EAPOL
will be working for the client ;-)
certificate tied to an IP address sounds like a very bad idea to me - its
usually a name (or 'DNS entry' in web https world) - and the client validation
is based on a very basic name check.
More information about the Freeradius-Users