On 19/10/2011 20:20, John York wrote:
Hi
We’re in the process of bringing up a new NPS server, and a contractor
tells me that the cert Common Name and the server’s DNS fqdn don’t have to
match like they do on an SSL server.
“For wireless, any valid certificate will do. It does not have to match
the name of the NPS server. You can use an existing certificate for
anything as long as it’s valid and doesn't invalidate your licensing
agreement with your SSL cert provider.”
If that’s true, I’ve been adding extra complexity to my work for years. I
guess “any valid cert” would also have to come from a CA the user’s
computer accepts. Comments?
Generally [I don't know if NPS has any MS non-standard restrictions]
that's true with EAP. It's probably a good idea to set the CN to something
that looks like a DNS name though.
This also means that you can use the same radius certs on both radius
servers if you have a pair for resilience etc.
Also, because many supplicants don't verify the cert CN (the "connect to
these servers" box in Windows), just rely on the cert being signed by a
known CA, and anyone could potentially get a cert from the same commercial
CA as you, it is best practice to use a cert signed by your own root CA
for EAP. You then need to configure each client with this root CA.
Regards,
James
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
