Configuring PEAP

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Sep 24 18:15:49 CEST 2015


Hi,

> Is there any issue you can think of using 3.0.9 on CentOS 6? I don't mind
> building it from source if the infrastructure will support it.

MPPE issue in 3.0.9 - wait until 3.0.10 (if you've got TTLS clients and
TLS 1.2 around......) :-)

some around here would say to use 3.1.x - all depends on how you feel.
I have 3.1.x on a couple of production systems...stability isnt an issue
from my experience and I needed the features....

> Oh, I know this part, but I'm wondering how the CN is *used*. Specifically,
> is my FreeRADIUS server sending something that has to match the cert? If my

your server sends its cert (the one with the CN)..and the client is configured to
check that value.  the servers hostname isnt in the mix at all. its identity
is only via the CN in the server string...which means.... yes, you've got it,
if you have multiple servers you can have exactly the same server certificate
on all of them making your client config very nice and simple (and meaning
you DONT need wildcards or nasty things like that)

> CN is used between the client and server would be great, though. In this
> case, it's assumed that the clients won't have other access to the network
> until they authenticate and connect through the WAPs and FreeRADIUS.

assumed? thats exactly how it works :-)

alan


More information about the Freeradius-Users mailing list