How Windows check radius server certificate?

Question

How Windows check radius server certificate (for wifi connections)? Does it look only on CN field from radius server certificate and not look at Subject Alternative Name field altogether?

I did some tests, and Windows accept radius server certificate only if CN field from certificate match with value in field "Connect to these servers:" Windows certificate validation properties

Other Operation Systems look at Subject Alternative Name field from certificate.

score 0 · Answer 1 · edited Oct 07 '21 at 08:14

0

I stand corrected. You found the RFC that states CN should be evaluated last: https://www.rfc-editor.org/rfc/rfc6125#page-28. Whether or not the client is properly implementing this to the RFC spec is a different matter.

edited Oct 07 '21 at 08:14

Community

1

answered Feb 27 '18 at 15:50

Andrew

2,142
2
19
25

By my tests iOS and wpa_supplicant (Android) use Subject Alternative Names. RFC 6125 Chapter 6.4.4 https://tools.ietf.org/html/rfc6125#page-28 says what client should check CN as a last resort. – Raf Feb 27 '18 at 18:24

How Windows check radius server certificate?

1 Answers1