Hello, > On 2 Nov 2017, at 12.06, Tuure Vartiainen <varti...@open.com.au> wrote: > >> On 31 Oct 2017, at 16.34, Jan Tomasek <j...@tomasek.cz> wrote: >> >> On 10/13/2017 06:57 PM, Tuure Vartiainen wrote: >>>> On 11 Oct 2017, at 20.28, Jan Tomasek <j...@tomasek.cz> wrote: >>>> >>>> Originally we were using hostnames, but as our eduroam federation >>>> was growing Radiator start was going to be slower and slower. Delay >>>> was indeterministic and was caused by hostname to IP translation, >>>> so we switched to IP addresses. But IP addresses are complicating >>>> peer verification. At this moment we are using TLS_ExpectedPeerName >>>> but our peers sometimes try to use a certificate which has no right >>>> SubjectDN, it would be better to be able to verify >>>> SubjectAltName:DNS. Is there any chance to get this implemented? >>>> Something like TLS_SubjectAltNameURI but for DNS? >>>> >>> >>> Radiator currently supports SubjectAltName:DNS when it’s an initiator >>> for RadSec connection. >> >> how to configure this? My problem is that I need to initiate RadSec >> connection by IP adress this way: >> >> <Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz> >> Identifier vsup_cz >> <AuthBy RADSEC> >> Host 195.113.xx.x >> Secret radsec >> >> When I use HOST = IPaddress I've no option how to tell Radiator which value >> compare against SubjectAltName:DNS. >> > > SuljectAltName:DNS matches against configured Host, so it only works when > using FQDNs. > > I changed the feature request to target adding TLS_SubjectAltNameDNS > configuration option similar to > TLS_SubjectAltNameURI. > > http://www.open.com.au/radiator/ref/TLS_SubjectAltNameURI.html#TLS_SubjectAltNameURI >
there’s now a new config option TLS_SubjectAltNameDNS in latest patches, which can be used to define expected FQDN for SubjectAltName:DNS. BR -- Tuure Vartiainen <varti...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
