70
Figure 32 – Server ID Matching
Let’s look at some examples that show the behavior of the Server ID field with two IAS servers
configured as 802.1X Authentication Servers as shown previously:
• Example 1
: Jetdirect Server ID: Blank. Result: If the Authentication Server’s certificate is
trusted, accept all Common Names returned in the Subject field of the Authentication Server
certificate
• Example 2
: Jetdirect Server ID: “example.internal”, Require Exact Match not checked.
Result: If the Authentication Server’s certificate is trusted, accept all Common Names returned
in the Subject field of the Authentication Server certificate that have “example.internal” as a
rightmost subset. “ias.example.internal
” and “ias2.example.internal” will both be accepted
because “example.internal
” is a rightmost match for both.
• Example 3
: Jetdirect Server ID: “ias”, Require Exact Match not checked. Result: If the
Authentication Server’s certificate is trusted, accept all Common Names where “ias” is a
rightmost subset of the name. Here, both servers “ias.example.internal” and
“ias2.example.internal” will be REJECTED because it is not a rightmost subset of the name.
“ias” is a LEFTMOST match, it is NOT a rightmost match.
• Example 4
: Jetdirect Server ID: “ias.example.internal”, Require Exact Match is checked.
Result: If the Authentication Server’s certificate is trusted, accept all Common Names where
ias.example.internal is the EXACT name. Here, the server ias2.example.internal will be
REJECTED because it does NOT match EXACTLY “ias.example.internal”
• Example 5
: Jetdirect Server ID: “ias.example.internal”, Require Exact Match not checked.
Result: If the Authentication Server’s certificate is trusted, accept all Common Names where
ias.example.internal is a rightmost subset of the name. Here, the server
ias2.example.internal will be REJECTED because it is not a rightmost subset of the name.
As we can see, Jetdirect’s Server ID field allows for fine grained use of which certificate will be
accepted and can be configured to support multiple Authentication Servers without accepting all
common names.
To Next Page
Loading...
Need help?
General
