WildCard/Subject Alternative Names Cert Question
Casartello, Thomas
tcasartello at wsc.ma.edu
Sat Apr 16 03:42:32 CEST 2011
When you say client EAP tracing do you mean on the Microsoft side, or is there something you can do on the freeradius side? When I lookup eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing?
Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State University
-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Friday, April 15, 2011 4:14 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: WildCard/Subject Alternative Names Cert Question
On 04/15/2011 08:42 PM, Casartello, Thomas wrote:
> whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2
> not support validating by subject alternative names.
This isn't really a FreeRADIUS question; it's down to the supplicant to
permit or deny the cert.
Anyway... Section 3.2.7.1 of MS-WSH says:
"""
If the isValidateServerNameEnabled is set to TRUE, then verify that the
subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name
(section 4.2.1.6 of [RFC5280]) of the server certificate exists in
ServerNames.
"""
i.e. it should honour subjectAltName. But Microsoft have a habit of
ignoring their own standards, so if you're sure your certificate is
good, then the only way to be sure is turn on client EAP tracing and dig
in the logs to see why it's being refused.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list