Re: MS CM VPN Client Certificate Selection

From: Dave W (DaveW_at_discussions.microsoft.com)
Date: 01/15/05


Date: Sat, 15 Jan 2005 10:15:03 -0800

My biggest issue is that I don't understand the rules which inform the IPSec
driver's certificate selection.

As another example...
I am concerned that if I get an "orphaned" client authentication certificate
(from some legacy project or project that I'm not aware of - shouldn't happen
I know, but it might!) in the computer's certificate store - and it wasn't
issued by a server that chains up to the same root that the ISA VPN
concentrator trust; then if IPSec chose this certificate (valid client auth.
OID, valid date, etc.) then ISA would reject the authentication process.

I understand where you are coming from in suggesting this is a feature
rather than a bug, but I don't really like "unexpected bonuses" - I want
things to happen by prescribed design.

"S. Pidgorny <MVP>" wrote:

> Interesting it is. I mean - I don't completely understand what the problem
> is - the fact that computers can use 802.1x authentication certs also for
> VPN sounds more like feature rather than a bug.
>
> And you might be interested to know about some weakness in 802.1x for wired
> networks - see http://sl.mvps.org/docs/802dot1x.htm
>
> regards
>
> S.
>
> "Dave W" <DaveW@discussions.microsoft.com> wrote in message
> news:20C0E01B-4227-4098-BA76-B5145CE4F4EE@microsoft.com...
> > Steve,
> > I have sent the note to secwish. I have added an extra point...
> >
> > By dropping a client authentication certificate onto the computer for
> 802.1x
> > purposes, the VPN client then has sufficient "client authentication"
> > credentials to present to a VPN concentrator. I cannot see a way around
> > limiting this: I may have 50,000 computers which will participate in
> 802.1x
> > wired and only 10,000 of that estate should be able to make a VPN. Yet,
> all
> > 50,000 computers could pass the VPN machine authentication "test" by
> virtue
> > of having the 802.1x cert. I know that additional controls around user
> > authentication would mitigate this, but IMHO the machine authentication
> piece
> > is a little compromised.
> >
> > "Steve Riley [MSFT]" wrote:
> >
> > > Interesting; alas, this isn't something we can do right now. I like the
> idea
> > > though. If you would type up a quick note and send it to
> secwish@microsoft.com
> > > that would be great. I'll also forward your note to the RRAS and CA
> folks.
> > >
> > > Steve Riley
> > > steriley@microsoft.com
> > >
> > >
> > >
> > > > A number of reasons...
> > > > 1. Revocation - The certificates may be issued by different CAs and
> > > > therefore the VPN will check a different CRL. The VPN concentrator
> > > > may not
> > > > be able to reach the CRL for the 802.1x cert.
> > > > 2. Issuance policy - The 802.1x will have a "lower" issuance policy
> > > > than the
> > > > VPN computer cert. and shouldn't be used in a VPN context.
> > > > Additionally, the
> > > > 802.1x cert will have a custom application OID which will be checked
> > > > on an
> > > > IAS remote access policy, this serves no purpose in the VPN context
> > > > and
> > > > shouldn't be used.
> > > > 3. Troubleshooting - I don't want to be guessing at which cert. is
> > > > presented
> > > > to the VPN concentrator.
> > > > Generally, I want the VPN client to select a certificate by design,
> > > > rather than by chance.
> > > >
> > > > Regards,
> > > >
> > > > "Steve Riley [MSFT]" wrote:
> > > >
> > > >> If every computer will have both certificates, why does it matter?
> > > >>
> > > >> "Client authenticatin" is exactly that. There's nothing further to
> > > >> specify.
> > > >>
> > > >> Steve Riley
> > > >> steriley@microsoft.com
> > > >>> Is there a way of enforcing the certificate that the MS VPN client
> > > >>> uses for L2TP?
> > > >>>
> > > >>> I've a Win2K3 CA and XP clients... I am deploying separate client
> > > >>> computer certificates for 802.1X and L2TP, each will posses the
> > > >>> client authentication OID (1.3.6.1.5.5.7.3.2).
> > > >>>
> > > >>> I want the MS Connection Manager VPN connectoid to select the VPN
> > > >>> certificate and not the 802.1x certificate.
> > > >>>
> > > >>> Is there any way to enforce the certificate selection?
> > > >>>
> > > >>> Thanking you in advance,
> > > >>>
> > > >>> Dave
> > > >>>
> > >
> > >
> > >
>
>
>



Relevant Pages

  • Re: VPN Client and Machine Certificates for Unattanded VPN access
    ... If you are planning on using IPSec, the client uses L2TP over IPSec, not pure IPSec. ... For the actual user authenticatoin of the VPN, the certificate must be in the user's store. ... I am looking for information on if it is possbile to get the MS VPN Client ...
    (microsoft.public.security)
  • Re: Exportable computer certificate
    ... certificate on your computer you should be fine for l2tp. ... that your VPN is working well otherwise!--- Steve ... > obtained over the LAN from the CA) and try to connect to the VPN server ... So I am hoping that if I request an IPSec ...
    (microsoft.public.windows.server.security)
  • Re: Enabling a Certificate template
    ... You can use any CA for EAP-TLS authentication - this will be a standard ... client authentication certificate with subject CN set to the machine FQDN... ...
    (microsoft.public.security)
  • Re: Please Help!!!
    ... you would have to wrap the ICEnroll methods and the ICertRequest methods ... > certificate installed shouldn't be allow to access my ... > certificate information in my supplier database. ...
    (microsoft.public.platformsdk.security)
  • VPN Problem
    ... I am trying to set a VPN to a win2K server using a ... certificate as an Authentication Method. ...
    (microsoft.public.windowsxp.network_web)