<div dir="ltr">So just to check, our radius server has a cert with a CN=<a href="http://radius.york.ac.uk">radius.york.ac.uk</a> and its SubjAltNames are<div><br></div><div><div> X509v3 Subject Alternative Name:</div><div> DNS:<a href="http://radius.york.ac.uk">radius.york.ac.uk</a>, DNS:<a href="http://www.radius.york.ac.uk">www.radius.york.ac.uk</a></div></div><div><br></div><div>so you're saying that my radius server also needs to have <a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a> as a SubjAltName in it as well ?</div><div><br></div><div>If so, really really don't want to do that</div><div>A</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 December 2017 at 13:47, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Alex,<br>
<span class=""><br>
> # Where is this coming from ? The cert on <a href="http://vpn.york.ac.uk" rel="noreferrer" target="_blank">vpn.york.ac.uk</a><br>
> lives on a host called <a href="http://vpn10.york.ac.uk" rel="noreferrer" target="_blank">vpn10.york.ac.uk</a><br>
> and has multiple SubjAlt Name entries for all<br>
> the real vpn servers we might want to use the cert on.<br>
> # Think this is "wrong " message, <br>
> Dec 1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not<br>
> match to '<a href="http://vpn.york.ac.uk" rel="noreferrer" target="_blank">vpn.york.ac.uk</a>'<br>
> Dec 1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert<br>
> 'access denied'<br>
<br>
</span>That's the certificate provided by the RADIUS server during EAP-PEAP.<br>
As you can't specify an AAA identity with the NM frontend the server's<br>
IKE identity (i.e. the hostname) must be contained as subjecAltName in<br>
that certificate too.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br></div>