On Thu, 11 Feb 2021, Tim Cappalli wrote: > Yes, the EAP server certificate subject should be the same eTLD as the > credential realm.
I should have used the word realm for clarity sorry, I couldn't quite bring it to mind! > Said differently, if EAP identity is > `t...@capptoso.com<mailto:t...@capptoso.com>`, the server certificate > should be `<something>.capptoso.com`. Right, so not absolutely identically, but the same parent domain? Hmm. As an organisation, I might issue credentials to some...@myorg.org, someone...@subdomin.myorg.org, and some...@anotherrelatedorg.org, but all be authenticated by radius.myorg.org. How does that square? In that circumstance I have to add more subjectAltNames in my certificate? And know in advance what they are, or keep re-issuing the cert as I add more? This seems ... undesirable. As long as the radius server issues the certificate that the client is programme to expect, I'm not sure why there should be a mandate for a match with the EAP realm. Jethro. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jethro R Binks > <jethro.bi...@strath.ac.uk> > Date: Thursday, February 11, 2021 at 10:15 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual > Profile Configuration Variable > Can I drill into this a bit please just be clear on my understanding? > > On Thu, 11 Feb 2021, Sweetser, Frank E. wrote: > > > "The STA is configured with EAP credentials that explicitly specify a CA > > root certificate that matches the root certificate in the received > > Server Certificate message and, if the EAP credentials also include a > > domain name (FQDN or suffix-only), it matches the domain name > > (SubjectAltName dNSName if present, otherwise SubjectName CN) of the > > certificate [2] in the received Server Certificate message." > > > > In particular, note the bit about SAN if present, otherwise CN. A > > strict reading of this (which Android appears to follow) means that > > unlike the web browser behavior we're all used to, if there is a dNSName > > in the SAN list, then the CN will not be evaluated in matching the > > client configured domain. This means that if you have: > > > > > > * A client configured domain of myorg.edu > > * A server CN of radius.myorg.edu > > * A server SAN of radius.myotherorg.edu > > Particularly, "EAP credential domain name", as contrasted with the > "Domain" setting in the client discussed earlier. > > My understanding is that the "Domain" setting in the client is telling the > client "the radius server must present a certificate with this > subjectAltName/CN". Equivalent to the Validate server connection / > Connect to these servers settings seen elsewhere? > > But "EAP credential domain name" to me means the credentials one provides > to authenticate as, so usern...@myorg.edu say. > > Is this saying that the server cert subjectAltName/CN must be "myorg.edu"? > That's not what the common case is now I would say; most radius server > certs would likely carry a name "aaa.myorg.org", "radius.myorg.org" or > somesuch. > > Do I misunderstand "EAP credentials also include a domain name (FQDN or > suffix-only)" ?? > > Reading the document a bit more, "EAP credentials" seems to be a broader > phrase equated to "network profile" (see 5.3.1), so perhaps means "the > bundle of settings including login credentials and Domain of radius server > for validation", so "EAP credential domain name" is referring to the > Domain (for cert validation) ie "radius.myorg.org", not any domain part of > the login credentials ie "myorg.org"? Is that a correct reading? > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3597488f334c4c6fed8f08d8ce9fd805%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637486533221740806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7fwWkkx3Vp7v%2F1soXjoGx5NF1m0%2FRyr%2B7Jndtzfc7sg%3D&reserved=0 > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
