(RADIATOR) EAPTLS check ID question for MS certs

Markus Moeller huaraz at moeller.plus.com
Mon Feb 25 18:17:23 CST 2008 

This might help as it is one of the reason to use Subject Alt Name 
http://support.microsoft.com/kb/281245

Subject Alternative Name = Other Name: Principal Name= (UPN). For example:
UPN = user1 at name.com
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string

Markus

----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, February 26, 2008 12:09 AM
Subject: Re: (RADIATOR) EAPTLS check ID question for MS certs


> Hello Markus,
>
>
> On Tuesday 26 February 2008 08:16, Markus Moeller wrote:
>> I would like to use MS certs which have a UPN as subject_alt_name and do
>> the ID check against this instead of the subject name.
>
> This may be possible to add.
>
> Can you send me privately an example certificate with one of these in the
> subject alt name?
> Im interested in what the type of the subjectaltname entry is: DNS, IPADDR 
> or
> URI?
>
> Cheers.
>
>>
>> If I checked right SSLeay can get the array with:
>>
>>    my @subjectAlt = &Net::SSLeay::X509_get_subjectAltNames($cert);
>>
>> which could be added to EAP_13.pm.
>>
>> At the moment  I have to disable the check as the identity is
>> user at COMPANY.COM and does not match the subject name but the subject alt
>> name.
>>
>>
>> Thank you
>> Markus
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list