WildCard/Subject Alternative Names Cert Question
Phil Mayers
p.mayers at imperial.ac.uk
Fri Apr 15 22:14:19 CEST 2011
On 04/15/2011 08:42 PM, Casartello, Thomas wrote:
> whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2
> not support validating by subject alternative names.
This isn't really a FreeRADIUS question; it's down to the supplicant to
permit or deny the cert.
Anyway... Section 3.2.7.1 of MS-WSH says:
"""
If the isValidateServerNameEnabled is set to TRUE, then verify that the
subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name
(section 4.2.1.6 of [RFC5280]) of the server certificate exists in
ServerNames.
"""
i.e. it should honour subjectAltName. But Microsoft have a habit of
ignoring their own standards, so if you're sure your certificate is
good, then the only way to be sure is turn on client EAP tracing and dig
in the logs to see why it's being refused.
More information about the Freeradius-Users
mailing list