On 09/15/2010 02:21 PM, Alan Buxey wrote:
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise them as
the
same - important if there is to be any failover.... have the CN to be eg
radius.yourdomain
Depends upon how aggressive the client is about validating the cert. The
libraries I'm familiar with will take the CN of the subject do a DNS
lookup and see if it matches the ip address on the socket. In which case
I wouldn't expect the above to work.
As Kevin just suggested Subject Alt Names may be a better alternative.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
