Hi,

> I've been searching around the list and the Internet trying to figure 
> out how a wireless client can verify the hostname of the SSL cert 
> provided by Radiator through the NAS as an SMTP or HTTP client would, 
> but I can't seem to find anything insightful. I'm not concerned with how 
> the client uses the SSL chain and its included CAs to verify the cert 
> cryptographically.
> 
> For one, the client doesn't have Internet to make a reverse lookup until 
> they accept the cert.

correct. there is no reverse lookups etc.

the client is configured to trust a CA (and the RADIUS cert is signed by that 
CA - either directly
or with intermediates that the client either knows or is passed through to
it via the 802.1X certificate phase) and the client is configured to trust a CN

that CN is given to the RADIUS certificate. 


ie client configured to trust a CA and given the CN of a certificate it should
trust. the RADIUS server presents a certificate signed by that trusted CA and
has a name that the client is configured to trust.  you'll realise by now that 
you dont
want to use a public CA as many clients cannot be configured to trust a specific
CN and anyone could get a cert signed by eg verisign  ;-)

alan
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to