Hi Alex, > so you're saying that my radius server also needs to have vpn.york.ac.uk > as a SubjAltName in it as well ?
Yes, that's one option. Not using the NM plugin is another. With the config files you can set the AAA identity to vpn.york.ac.uk so it matches the certificate (or %any so any identity is accepted, the RADIUS server's certificate just has to be trusted). You can also patch charon-nm so it sets the AAA identity, or make it even configurable in the GUI. You can also not use EAP-PEAP and just authenticate the clients with EAP-MSCHAPv2/MD5/GTC directly (and if necessary secure the connection between VPN and RADIUS server with IPsec). Regards, Tobias
