On 04/15/2011 08:42 PM, Casartello, Thomas wrote:
whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2
not support validating by subject alternative names.
This isn't really a FreeRADIUS question; it's down to the supplicant to
permit or deny the cert.
Anyway... Section 3.2.7.1 of MS-WSH says:
"""
If the isValidateServerNameEnabled is set to TRUE, then verify that the
subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name
(section 4.2.1.6 of [RFC5280]) of the server certificate exists in
ServerNames.
"""
i.e. it should honour subjectAltName. But Microsoft have a habit of
ignoring their own standards, so if you're sure your certificate is
good, then the only way to be sure is turn on client EAP tracing and dig
in the logs to see why it's being refused.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html