Alan DeKok wrote: > Sallee, Stephen (Jake) wrote: >>> The various EAP methods *should* have tied usernames (i.e. domains) >> to a field in the certificate. e.g. a cert with CN "[email protected]" >>> should be sent logins for "[email protected]", but NEVER sent logins >> for "[email protected]" >> >> How does this workout with child domains? For example: I have two >> domains 1) umhb.edu and 2) Cru.umhb.edu. "Cru" is a child of >> "umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok >> for authenticating users on both umhb.edu AND Cru.umhb.edu? > > I said it SHOULD have been that way. It doesn't work that way now. > > There is NO tying of certificate CNs to user names.
We should probably expand on that. With respect to the server's certificate, there is nothing tying it to anything on any client I've tested. The server's certificate is presented and you are allowed to accept it. If it isn't signed by a trusted authority you may have to click some additional warnings. FreeRadius can of course compare the client certs CN to the username for what it's worth. On most platforms, the user can put whatever they want for the username though. Or on XP, it gets auto-filled with the value of the CN from the clients certificate. So that particular check is of dubious value. With respect to Jake's question, I'm not sure if he's talking about the server certificate or the client certificate. Strictly speaking, server certificates are not really tied to a domain or DNS entry with EAP. I don't think the client ever actually sees the true IP address of the radius server or it's domain name. The NAS does (or might), but from the client to the Radius server it's all encapsulated and strictly speaking isn't IP traffic at all. You can use the server cert wherever you want, no matter what DNS name is on it. As long as you can get the users to click OK when they are presented with it, it will be fine. -David Mitchell -- ----------------------------------------------------------------- | David Mitchell ([email protected]) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
