radius server presenting itself as 127.0.0.1

Morris, Andi amorris at cardiffmet.ac.uk
Thu Mar 6 17:13:41 CET 2014


Thanks for the replies everyone.
The revocation wasn't going as planned so I did as Alan suggested and restored the folder from a backup I made before running the first 'make'. I then edited the ca.cnf to give a different commonName to the server.cnf, ran make again and all went well. However I still am seeing the servername as being 127.0.0.1 on the Windows supplicant.

Cheers,
Andi

-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of John Dennis
Sent: 06 March 2014 15:55
To: FreeRadius users mailing list
Subject: Re: radius server presenting itself as 127.0.0.1

On 03/06/2014 10:10 AM, Morris, Andi wrote:
> However, I've just spotted that I had the same commonName for both my 
> server.cnf and ca.cnf.

That's a problem and one I've see others make. Any cert whose subject and issuer are identical is considered a self-signed cert and you won't "chain up" to the signing CA cert. It also become ambiguous when both certs are present. Each X509 library may handle this differently so you may get different results depending on the implementation. The simple answer is "don't do it", it just creates problems.

FWIW certs are disambiguated by the <subject, serial> pair, CA's are never supposed to issue a cert with a previously used serial number. But the issuer field in a cert only contains a subject, this is why you'll often see the serial embedded in the subject of an issuer cert, it helps to properly identify the correct issuer cert.

--
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list