On 15/09/2010 19:43, John Dennis wrote:
On 09/15/2010 02:21 PM, Alan Buxey wrote:
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise
them as the
same - important if there is to be any failover.... have the CN to be eg
radius.yourdomain
Depends upon how aggressive the client is about validating the cert. The
libraries I'm familiar with will take the CN of the subject do a DNS
lookup and see if it matches the ip address on the socket. In which case I
wouldn't expect the above to work.
Context folks! - You are authenticating your network connection, there is
no DNS at this point... and even if there was the NAS doesn't "have an
IP", it's an EAPoL transaction.
Alan B is correct - use exactly the same certificate on the two servers.
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
