Strict User/CN Matching



  • I am using Windows CA for client certificates, and it generates certificates that have Subject "John Doe" and Subject alternative name is (Other Name=john@mycompany.com RFC822 Name=john.doe@mycompany.com)-
    I also use Windows RADIUS server for authentication.
    I can login to my company with user john@mycompany.com if I turn the Strict User/CN Matching off.
    If I turn it on, there is a message in server log: john@mycompany.com != John Doe and it doesn't allow me in.
    Is there a way to tell pfSense OpenVPN server to look at the Subject Alternative Name (other name) too, not just the Subject?
    I can leave it off but it could be a bit of a security flaw since person who wish to log in could use any certificate, not just his.
    BTW, pfSense is a great product.