Re: MS CM VPN Client Certificate Selection

From: Dave W (DaveW_at_discussions.microsoft.com)
Date: 01/15/05


Date: Sat, 15 Jan 2005 10:15:03 -0800

My biggest issue is that I don't understand the rules which inform the IPSec
driver's certificate selection.

As another example...
I am concerned that if I get an "orphaned" client authentication certificate
(from some legacy project or project that I'm not aware of - shouldn't happen
I know, but it might!) in the computer's certificate store - and it wasn't
issued by a server that chains up to the same root that the ISA VPN
concentrator trust; then if IPSec chose this certificate (valid client auth.
OID, valid date, etc.) then ISA would reject the authentication process.

I understand where you are coming from in suggesting this is a feature
rather than a bug, but I don't really like "unexpected bonuses" - I want
things to happen by prescribed design.

"S. Pidgorny <MVP>" wrote:

> Interesting it is. I mean - I don't completely understand what the problem
> is - the fact that computers can use 802.1x authentication certs also for
> VPN sounds more like feature rather than a bug.
>
> And you might be interested to know about some weakness in 802.1x for wired
> networks - see http://sl.mvps.org/docs/802dot1x.htm
>
> regards
>
> S.
>
> "Dave W" <DaveW@discussions.microsoft.com> wrote in message
> news:20C0E01B-4227-4098-BA76-B5145CE4F4EE@microsoft.com...
> > Steve,
> > I have sent the note to secwish. I have added an extra point...
> >
> > By dropping a client authentication certificate onto the computer for
> 802.1x
> > purposes, the VPN client then has sufficient "client authentication"
> > credentials to present to a VPN concentrator. I cannot see a way around
> > limiting this: I may have 50,000 computers which will participate in
> 802.1x
> > wired and only 10,000 of that estate should be able to make a VPN. Yet,
> all
> > 50,000 computers could pass the VPN machine authentication "test" by
> virtue
> > of having the 802.1x cert. I know that additional controls around user
> > authentication would mitigate this, but IMHO the machine authentication
> piece
> > is a little compromised.
> >
> > "Steve Riley [MSFT]" wrote:
> >
> > > Interesting; alas, this isn't something we can do right now. I like the
> idea
> > > though. If you would type up a quick note and send it to
> secwish@microsoft.com
> > > that would be great. I'll also forward your note to the RRAS and CA
> folks.
> > >
> > > Steve Riley
> > > steriley@microsoft.com
> > >
> > >
> > >
> > > > A number of reasons...
> > > > 1. Revocation - The certificates may be issued by different CAs and
> > > > therefore the VPN will check a different CRL. The VPN concentrator
> > > > may not
> > > > be able to reach the CRL for the 802.1x cert.
> > > > 2. Issuance policy - The 802.1x will have a "lower" issuance policy
> > > > than the
> > > > VPN computer cert. and shouldn't be used in a VPN context.
> > > > Additionally, the
> > > > 802.1x cert will have a custom application OID which will be checked
> > > > on an
> > > > IAS remote access policy, this serves no purpose in the VPN context
> > > > and
> > > > shouldn't be used.
> > > > 3. Troubleshooting - I don't want to be guessing at which cert. is
> > > > presented
> > > > to the VPN concentrator.
> > > > Generally, I want the VPN client to select a certificate by design,
> > > > rather than by chance.
> > > >
> > > > Regards,
> > > >
> > > > "Steve Riley [MSFT]" wrote:
> > > >
> > > >> If every computer will have both certificates, why does it matter?
> > > >>
> > > >> "Client authenticatin" is exactly that. There's nothing further to
> > > >> specify.
> > > >>
> > > >> Steve Riley
> > > >> steriley@microsoft.com
> > > >>> Is there a way of enforcing the certificate that the MS VPN client
> > > >>> uses for L2TP?
> > > >>>
> > > >>> I've a Win2K3 CA and XP clients... I am deploying separate client
> > > >>> computer certificates for 802.1X and L2TP, each will posses the
> > > >>> client authentication OID (1.3.6.1.5.5.7.3.2).
> > > >>>
> > > >>> I want the MS Connection Manager VPN connectoid to select the VPN
> > > >>> certificate and not the 802.1x certificate.
> > > >>>
> > > >>> Is there any way to enforce the certificate selection?
> > > >>>
> > > >>> Thanking you in advance,
> > > >>>
> > > >>> Dave
> > > >>>
> > >
> > >
> > >
>
>
>