HI there, I currently have a CA for our local domain that has provided a signed cert for our Radius server so that it can authenticate users for wireless connectivity with 802.1x So far I have no issues with this setup and the main point is it works. But what I would like to do is to simplify the process of setting up the wireless profile required to connect to our networks. We are a (BYOD, bring your own device enviroment) so often times, we have to uncheck the Validate Server Certificate as we do not provide the public cert for our user base. Now we do have a signed cert from an official ca, for our domain name, lets say someDomain.bc.ca I have now set up my CA to create another Radius template, but one where you have to fill in the properties for the SUBJECT, thereby allowing an alternative subject name. I plan to import the sign cert someDomain.bc.ca into the personal certificate store for the radius server. I then plan to request a certificate from our local domain CA, with a subject name alternative of radiusserver.somedomain.bc.ca. Will this work? Do I need to clarify my question? Im essentially trying to avoid the users going through a pain of a configuration step. Thanks, Steve

Hi Steve, Thanks for posting in Microsoft TechNet forums. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin

Assuming the "signed certificate" you are referring to is a server certificate, you only need to configure your radius server to use the external/public certificate after installing/importing the it in each of your radius servers computer store. There is no need to issue any other certificates in this case! /Hasain

generally, we can request a single certificate and install on multiple server by using SAN. http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sorry, i am going to have to play clueless here, as im still fairly new to the whole Radius aspect of things. Currently I have a *.somedomain.bc.ca cert for our external facing web pages that do SSL. I want to use the *.somedomain.bc.ca cert for use with out internal CA server which is tied to AD so that I can do 802.1x authentication without having the annoying prompts of installing the untrusted certificate on macs, or having to uncheck validate server cert on the PCs. Currently my 802.1x enviroment is working fine and the radius authenticates my wireless clients, however the intial setup is a pain especially w/ the prompt. When i import my *.somedomain.bc.ca cert to the personal store of my radius server, and then select that cert as a cert for EAP method for the radius, my clients fail to authenticate. So I was wondering how I can get away with using the * cert and still authenticate to AD, hence why I was looking for SAN names. Thanks, Steve

I am not sure this *.somedomain.bc.ca cert is available for CA. please check it and make sure it has usages: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.