The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Hello Patrick,

Am 13.08.21 um 15:29 schrieb Patrick Oberli:
> Our CA really doesn't like to provide one certificate with multiple
> hostnames, destined for several radius servers.
You are talking about RADIUS servers doing 802.1X/802.11i, i.e. some sort of 
TLS authentication on layer 2, right?
The "opposite" would be radsecproxy which is entirely different in these 
details.

If you just want to provide two or more RADIUS servers (for redundancy) which
serve exactly the same purpose, you can simply use the same cert for all of 
them.

Please read
https://wiki.geant.org/pages/viewpage.action?pageId=121346259
Section EAP Server certificate considerations
Consideration 2: Recommended certificate properties

The technical reason is: With a layer 2 logon process (i.e. TLS over EAPoL),
there is no DNS resolving step involved that would give the client an implicit
clue which servername (CN/SAN) to check in the server cert. Rather, you
pre-configure the (fixed) servername in your clients (Android calls this string 
"Domain" in the UI).
Along with the root cert which was used to sign the server cert, the identity 
check becomes
unique and "waterproof".

> Or does the operating system only check the domain and root CA (I
> think android does that) if it's the same today? So various
> certificates with the same domain from the same CA would not cause a
> certificate accept pop-up?
Exactly. And all clients should follow the same procedure here.
Android is only different in that many Android implementations
easily use "Do not validate" as their default setting which makes
the client vulnerable to the infamous "Evil Twin" attack.
Most other OSes pop up the cert warning instead, implementing TOFU.

Cheers, Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg