On 20/09/2011 12:19, Osborne, Bruce W wrote:
-----Original Message-----
From: Dennis Xu [mailto:[email protected]]
Sent: Monday, September 19, 2011 3:04 PM
Subject: Re: Issue with Microsoft NPS certs and ipads/iphones
We use the same certificate on two ACS servers for PEAP authentication to avoid
the certificate warning when user connects to the 2nd ACS server. We haven't
seen any issues with that.
> Dennis,
>
> How does that work? The two servers have different hostnames& DNS
entries, I assume.
>
> I do not think it would work in our NPS environment anyway. Our
> NPS servers are also Read-Only Domain Controllers (each in their
> own site). This removes the RADIUS server load from our production
> Domain Controllers.
The names on the certificate are irrelevant as such, as long as:
- The client trusts the CA that signed the cert
- The client trusts the CN on the presented cert.
The certificates are used for TLS in the EAP transaction that forms the
authentication. There is no DNS at this point - you don't even have a
network connection as such yet.
This is why [some] supplicants allow you to specify certificate CN
verification. In windows this is the "Connect to these servers:" field.
Without this your supplicant would trust any cert signed by your CA (which
is why it's recommended that you do not use a public CA for EAP).
Regards,
James
--
James J J Hooper
Senior Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
