On Sun, 31 Jan 2010, Alan Buxey wrote:
Hi,
In the Windows WPA setup screen, Protected EAP Properties, there are
options to "Validate server certificate", and "Connect to these servers".
Do I specify my two Radius servers there? My clients don't have direct
access to my Radius servers, so what actually happens when I enter them
here? Does it just compare the FQDN to the one on the certificate that is
presented during the login?
your 2 radius servers can have the same cert, there is no issue
there (eg radius.my.org) - dont forget, this is all pre-network stuff
so no DNS is involved.
and yes, the value entered in that part is a string match to the
name in the certificate sent via the RADIUS server.
some supplicants easily let you enter more than one RADIUS server name,
use multiple certs etc....
Ok, so I could just establish a certificate for a single host name, apply
that same certificate to all my FreeRadius servers, and in that "Connect
to these servers" client field, just enter the 'common name' entered on
the certificate? I wonder if a wildcard cert would work for this. As in
*.myorg.ca, then entering *.myorg.ca for client servers field. Just asking
because I have one of those.
In the README file there is this warning:
"You will have to ensure that the certificate contains the XP
extensions needed by Microsoft clients."
But I can't find any further information about it. How do I ensure my
certificate has these extensions? Would a CA signed cert have this?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
