Re: MS CM VPN Client Certificate Selection
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 01/12/05
- Next message: kbruster: "RE: Microsoft Security Bulletins for 12/14/04"
- Previous message: Jeff: "Certificate Authority Error"
- In reply to: Dave W: "Re: MS CM VPN Client Certificate Selection"
- Next in thread: S. Pidgorny
: "Re: MS CM VPN Client Certificate Selection" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Jan 2005 10:17:50 -0800
You could create a universal group, add all 10,000 computer accounts to that
group, and put that group in your RADIUS access policy, but that's a bit
unwieldy! :)
Thanks for sending the note.
Steve Riley
steriley@microsoft.com
> Steve,
> I have sent the note to secwish. I have added an extra point...
> By dropping a client authentication certificate onto the computer for
> 802.1x purposes, the VPN client then has sufficient "client
> authentication" credentials to present to a VPN concentrator. I
> cannot see a way around limiting this. I may have 50,000 computers
> which will participate in 802.1x wired and only 10,000 of that estate
> should be able to make a VPN. Yet, all 50,000 computers could pass
> the VPN machine authentication "test" by virtue of having the 802.1x
> cert. I know that additional controls around user authentication
> would mitigate this, but IMHO the machine authentication piece is a
> little compromised.
>
> "Steve Riley [MSFT]" wrote:
>
>> Interesting; alas, this isn't something we can do right now. I like
>> the idea though. If you would type up a quick note and send it to
>> secwish@microsoft.com that would be great. I'll also forward your
>> note to the RRAS and CA folks.
>>
>> Steve Riley
>> steriley@microsoft.com
>>> A number of reasons...
>>> 1. Revocation - The certificates may be issued by different CAs and
>>> therefore the VPN will check a different CRL. The VPN concentrator
>>> may not
>>> be able to reach the CRL for the 802.1x cert.
>>> 2. Issuance policy - The 802.1x will have a "lower" issuance policy
>>> than the
>>> VPN computer cert. and shouldn't be used in a VPN context.
>>> Additionally, the
>>> 802.1x cert will have a custom application OID which will be checked
>>> on an
>>> IAS remote access policy, this serves no purpose in the VPN context
>>> and
>>> shouldn't be used.
>>> 3. Troubleshooting - I don't want to be guessing at which cert. is
>>> presented
>>> to the VPN concentrator.
>>> Generally, I want the VPN client to select a certificate by design,
>>> rather than by chance.
>>> Regards,
>>>
>>> "Steve Riley [MSFT]" wrote:
>>>
>>>> If every computer will have both certificates, why does it matter?
>>>>
>>>> "Client authenticatin" is exactly that. There's nothing further to
>>>> specify.
>>>>
>>>> Steve Riley
>>>> steriley@microsoft.com
>>>>> Is there a way of enforcing the certificate that the MS VPN client
>>>>> uses for L2TP?
>>>>>
>>>>> I've a Win2K3 CA and XP clients... I am deploying separate client
>>>>> computer certificates for 802.1X and L2TP, each will posses the
>>>>> client authentication OID (1.3.6.1.5.5.7.3.2).
>>>>>
>>>>> I want the MS Connection Manager VPN connectoid to select the VPN
>>>>> certificate and not the 802.1x certificate.
>>>>>
>>>>> Is there any way to enforce the certificate selection?
>>>>>
>>>>> Thanking you in advance,
>>>>>
>>>>> Dave
>>>>>
- Next message: kbruster: "RE: Microsoft Security Bulletins for 12/14/04"
- Previous message: Jeff: "Certificate Authority Error"
- In reply to: Dave W: "Re: MS CM VPN Client Certificate Selection"
- Next in thread: S. Pidgorny
: "Re: MS CM VPN Client Certificate Selection" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
