Hello.
I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We've recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that has the server name as a subject alternative name as it is not covered by the wild card common name we are using - I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our web applications. Tom Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University (413) 572-8245 Red Hat Certified Technician (RHCT) Cisco Certified Network Associate (CCNA)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
