WildCard/Subject Alternative Names Cert Question
Casartello, Thomas
tcasartello at wsc.ma.edu
Fri Apr 15 21:42:57 CEST 2011
Hello.
I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We've recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that has the server name as a subject alternative name as it is not covered by the wild card common name we are using - I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our web applications.
Tom
Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State University
(413) 572-8245
Red Hat Certified Technician (RHCT)
Cisco Certified Network Associate (CCNA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110415/31395d38/attachment.html>
More information about the Freeradius-Users
mailing list