Consider an environment that uses 802.1x PEAP authentication via RADIUS. Typically, this is to authenticate wireless clients.
In this environment there are multiple RADIUS servers and clients will be served by whichever is available.
I have seen two approaches with regard to the server certificate presented to clients.
In the first, the same certificate is configured on each RADIUS server. The CN is something generic, e.g. "wireless.mycompany.com"
In the second, the certificate is different on each server and the CN is the hostname of the server, e.g. "server1.mycompany.com"
My question is: Are both acceptable solutions? What are the pros and cons of each approach?
EDIT: Interested particularly in comments relating to ease of roaming for clients.
Best Answer
Although, both solutions will work, I would recommend to avoid certificate sharing across multiple hosts. It is related to private key management. As more entities have knowledge about the key, the lower security is provided. Because you can't certainly know which server compromised the key (as they share the same key).
The best practice dictates that no one than one entity shall know about any particular private key. Think about PIN from your credit card. Would you share it with someone?
Therefore, the best practice is to provide an individual certificate to each RADIUS server. You can assign unique name in each certificate (RADIUS server's host name, for example), or use generic common name in all RADIUS certificates. There is no best practice for RADIUS certificate naming.