Can I drill into this a bit please just be clear on my understanding? On Thu, 11 Feb 2021, Sweetser, Frank E. wrote:
> "The STA is configured with EAP credentials that explicitly specify a CA > root certificate that matches the root certificate in the received > Server Certificate message and, if the EAP credentials also include a > domain name (FQDN or suffix-only), it matches the domain name > (SubjectAltName dNSName if present, otherwise SubjectName CN) of the > certificate [2] in the received Server Certificate message." > > In particular, note the bit about SAN if present, otherwise CN. A > strict reading of this (which Android appears to follow) means that > unlike the web browser behavior we're all used to, if there is a dNSName > in the SAN list, then the CN will not be evaluated in matching the > client configured domain. This means that if you have: > > > * A client configured domain of myorg.edu > * A server CN of radius.myorg.edu > * A server SAN of radius.myotherorg.edu Particularly, "EAP credential domain name", as contrasted with the "Domain" setting in the client discussed earlier. My understanding is that the "Domain" setting in the client is telling the client "the radius server must present a certificate with this subjectAltName/CN". Equivalent to the Validate server connection / Connect to these servers settings seen elsewhere? But "EAP credential domain name" to me means the credentials one provides to authenticate as, so usern...@myorg.edu say. Is this saying that the server cert subjectAltName/CN must be "myorg.edu"? That's not what the common case is now I would say; most radius server certs would likely carry a name "aaa.myorg.org", "radius.myorg.org" or somesuch. Do I misunderstand "EAP credentials also include a domain name (FQDN or suffix-only)" ?? Reading the document a bit more, "EAP credentials" seems to be a broader phrase equated to "network profile" (see 5.3.1), so perhaps means "the bundle of settings including login credentials and Domain of radius server for validation", so "EAP credential domain name" is referring to the Domain (for cert validation) ie "radius.myorg.org", not any domain part of the login credentials ie "myorg.org"? Is that a correct reading? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community