Strict User/CN Matching
prosoor last edited by
I am using Windows CA for client certificates, and it generates certificates that have Subject "John Doe" and Subject alternative name is (Other Namefirstname.lastname@example.org RFC822 Nameemail@example.com)-
I also use Windows RADIUS server for authentication.
I can login to my company with user firstname.lastname@example.org if I turn the Strict User/CN Matching off.
If I turn it on, there is a message in server log: email@example.com != John Doe and it doesn't allow me in.
Is there a way to tell pfSense OpenVPN server to look at the Subject Alternative Name (other name) too, not just the Subject?
I can leave it off but it could be a bit of a security flaw since person who wish to log in could use any certificate, not just his.
BTW, pfSense is a great product.