Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strict User/CN Matching

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prosoor
      last edited by

      I am using Windows CA for client certificates, and it generates certificates that have Subject "John Doe" and Subject alternative name is (Other Name=john@mycompany.com RFC822 Name=john.doe@mycompany.com)-
      I also use Windows RADIUS server for authentication.
      I can login to my company with user john@mycompany.com if I turn the Strict User/CN Matching off.
      If I turn it on, there is a message in server log: john@mycompany.com != John Doe and it doesn't allow me in.
      Is there a way to tell pfSense OpenVPN server to look at the Subject Alternative Name (other name) too, not just the Subject?
      I can leave it off but it could be a bit of a security flaw since person who wish to log in could use any certificate, not just his.
      BTW, pfSense is a great product.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.