Hi, > I've been searching around the list and the Internet trying to figure > out how a wireless client can verify the hostname of the SSL cert > provided by Radiator through the NAS as an SMTP or HTTP client would, > but I can't seem to find anything insightful. I'm not concerned with how > the client uses the SSL chain and its included CAs to verify the cert > cryptographically. > > For one, the client doesn't have Internet to make a reverse lookup until > they accept the cert.
correct. there is no reverse lookups etc. the client is configured to trust a CA (and the RADIUS cert is signed by that CA - either directly or with intermediates that the client either knows or is passed through to it via the 802.1X certificate phase) and the client is configured to trust a CN that CN is given to the RADIUS certificate. ie client configured to trust a CA and given the CN of a certificate it should trust. the RADIUS server presents a certificate signed by that trusted CA and has a name that the client is configured to trust. you'll realise by now that you dont want to use a public CA as many clients cannot be configured to trust a specific CN and anyone could get a cert signed by eg verisign ;-) alan _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator