On Nov 16, 2019, at 7:59 AM, Owen Friel (ofriel) <ofr...@cisco.com> wrote: > [ofriel] this seems like something reasonable, but that's more a general > deployment recommendation: ensure that the identity/realm of EAP servers is > different from the identity/domain of webservers within an org. Therefore in > the absence of an NAIRealm or id-kp-eapOverLAN extension in a cert, clients > can still distinguish between the two. Users point their Browser clients > point to 'example.org' and wi-fi supplications are configured to look for > 'radius.exampe.org'. > > The supplicant logic for verifying EAP server identity (assuming it already > knows the root CA and a realm/domain string) could be check for NAIRealm > first, then check for id-kp-eapOverLAN, then check for a dnsName.
There is currently no document which offers guidance for implementors. There's just common practice, and various standards. Which are unfortunately different. Even worse, it's not clear how these practices interact, or how we should migrate from existing practice to using the standards. I think it would be useful for this WG to have a document which gives these guidelines. Aln DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
