| Author |
Message |
Dave W
Guest
|
 Posted:
Tue Jan 11, 2005 1:29 am Post subject:
MS CM VPN Client Certificate Selection |
|
|
Is there a way of enforcing the certificate that the MS VPN client uses for
L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client computer
certificates for 802.1X and L2TP, each will posses the client authentication
OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave |
|
| Back to top |
|
 |
Steve Riley [MSFT]
Guest
|
| Posted:
Tue Jan 11, 2005 5:38 am Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to specify.
Steve Riley
steriley@microsoft.com
| Quote: | Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the client
authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
Dave W
Guest
|
| Posted:
Tue Jan 11, 2005 2:19 pm Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
A number of reasons...
1. Revocation - The certificates may be issued by different CAs and
therefore the VPN will check a different CRL. The VPN concentrator may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance policy than the
VPN computer cert. and shouldn't be used in a VPN context. Additionally, the
802.1x cert will have a custom application OID which will be checked on an
IAS remote access policy, this serves no purpose in the VPN context and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by design, rather
than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
| Quote: | If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the client
authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
Steve Riley [MSFT]
Guest
|
| Posted:
Wed Jan 12, 2005 1:23 am Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
Interesting; alas, this isn't something we can do right now. I like the idea
though. If you would type up a quick note and send it to secwish@microsoft.com
that would be great. I'll also forward your note to the RRAS and CA folks.
Steve Riley
steriley@microsoft.com
| Quote: | A number of reasons...
1. Revocation - The certificates may be issued by different CAs and
therefore the VPN will check a different CRL. The VPN concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be checked
on an
IAS remote access policy, this serves no purpose in the VPN context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
Dave W
Guest
|
| Posted:
Wed Jan 12, 2005 6:33 pm Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
Steve,
I have sent the note to secwish. I have added an extra point...
By dropping a client authentication certificate onto the computer for 802.1x
purposes, the VPN client then has sufficient “client authentication”
credentials to present to a VPN concentrator. I cannot see a way around
limiting this… I may have 50,000 computers which will participate in 802.1x
wired and only 10,000 of that estate should be able to make a VPN. Yet, all
50,000 computers could pass the VPN machine authentication “test” by virtue
of having the 802.1x cert. I know that additional controls around user
authentication would mitigate this, but IMHO the machine authentication piece
is a little compromised.
"Steve Riley [MSFT]" wrote:
| Quote: | Interesting; alas, this isn't something we can do right now. I like the idea
though. If you would type up a quick note and send it to secwish@microsoft.com
that would be great. I'll also forward your note to the RRAS and CA folks.
Steve Riley
steriley@microsoft.com
A number of reasons...
1. Revocation - The certificates may be issued by different CAs and
therefore the VPN will check a different CRL. The VPN concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be checked
on an
IAS remote access policy, this serves no purpose in the VPN context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
Steve Riley [MSFT]
Guest
|
| Posted:
Thu Jan 13, 2005 12:17 am Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
You could create a universal group, add all 10,000 computer accounts to that
group, and put that group in your RADIUS access policy, but that's a bit
unwieldy! :)
Thanks for sending the note.
Steve Riley
steriley@microsoft.com
| Quote: | Steve,
I have sent the note to secwish. I have added an extra point...
By dropping a client authentication certificate onto the computer for
802.1x purposes, the VPN client then has sufficient "client
authentication" credentials to present to a VPN concentrator. I
cannot see a way around limiting this. I may have 50,000 computers
which will participate in 802.1x wired and only 10,000 of that estate
should be able to make a VPN. Yet, all 50,000 computers could pass
the VPN machine authentication "test" by virtue of having the 802.1x
cert. I know that additional controls around user authentication
would mitigate this, but IMHO the machine authentication piece is a
little compromised.
"Steve Riley [MSFT]" wrote:
Interesting; alas, this isn't something we can do right now. I like
the idea though. If you would type up a quick note and send it to
secwish@microsoft.com that would be great. I'll also forward your
note to the RRAS and CA folks.
Steve Riley
steriley@microsoft.com
A number of reasons...
1. Revocation - The certificates may be issued by different CAs and
therefore the VPN will check a different CRL. The VPN concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be checked
on an
IAS remote access policy, this serves no purpose in the VPN context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Fri Jan 14, 2005 6:02 pm Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
Interesting it is. I mean - I don't completely understand what the problem
is - the fact that computers can use 802.1x authentication certs also for
VPN sounds more like feature rather than a bug.
And you might be interested to know about some weakness in 802.1x for wired
networks - see http://sl.mvps.org/docs/802dot1x.htm
regards
S.
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:20C0E01B-4227-4098-BA76-B5145CE4F4EE@microsoft.com...
| Quote: | Steve,
I have sent the note to secwish. I have added an extra point...
By dropping a client authentication certificate onto the computer for
802.1x
purposes, the VPN client then has sufficient "client authentication"
credentials to present to a VPN concentrator. I cannot see a way around
limiting this: I may have 50,000 computers which will participate in
802.1x
wired and only 10,000 of that estate should be able to make a VPN. Yet,
all
50,000 computers could pass the VPN machine authentication "test" by
virtue
of having the 802.1x cert. I know that additional controls around user
authentication would mitigate this, but IMHO the machine authentication
piece
is a little compromised.
"Steve Riley [MSFT]" wrote:
Interesting; alas, this isn't something we can do right now. I like the
idea
though. If you would type up a quick note and send it to
secwish@microsoft.com
that would be great. I'll also forward your note to the RRAS and CA
folks.
Steve Riley
steriley@microsoft.com
A number of reasons...
1. Revocation - The certificates may be issued by different CAs and
therefore the VPN will check a different CRL. The VPN concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be checked
on an
IAS remote access policy, this serves no purpose in the VPN context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
Dave W
Guest
|
| Posted:
Sun Jan 16, 2005 12:15 am Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
My biggest issue is that I don't understand the rules which inform the IPSec
driver's certificate selection.
As another example...
I am concerned that if I get an "orphaned" client authentication certificate
(from some legacy project or project that I'm not aware of - shouldn't happen
I know, but it might!) in the computer's certificate store - and it wasn't
issued by a server that chains up to the same root that the ISA VPN
concentrator trust; then if IPSec chose this certificate (valid client auth.
OID, valid date, etc.) then ISA would reject the authentication process.
I understand where you are coming from in suggesting this is a feature
rather than a bug, but I don't really like "unexpected bonuses" - I want
things to happen by prescribed design.
"S. Pidgorny <MVP>" wrote:
| Quote: | Interesting it is. I mean - I don't completely understand what the problem
is - the fact that computers can use 802.1x authentication certs also for
VPN sounds more like feature rather than a bug.
And you might be interested to know about some weakness in 802.1x for wired
networks - see http://sl.mvps.org/docs/802dot1x.htm
regards
S.
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:20C0E01B-4227-4098-BA76-B5145CE4F4EE@microsoft.com...
Steve,
I have sent the note to secwish. I have added an extra point...
By dropping a client authentication certificate onto the computer for
802.1x
purposes, the VPN client then has sufficient "client authentication"
credentials to present to a VPN concentrator. I cannot see a way around
limiting this: I may have 50,000 computers which will participate in
802.1x
wired and only 10,000 of that estate should be able to make a VPN. Yet,
all
50,000 computers could pass the VPN machine authentication "test" by
virtue
of having the 802.1x cert. I know that additional controls around user
authentication would mitigate this, but IMHO the machine authentication
piece
is a little compromised.
"Steve Riley [MSFT]" wrote:
Interesting; alas, this isn't something we can do right now. I like the
idea
though. If you would type up a quick note and send it to
secwish@microsoft.com
that would be great. I'll also forward your note to the RRAS and CA
folks.
Steve Riley
steriley@microsoft.com
A number of reasons...
1. Revocation - The certificates may be issued by different CAs and
therefore the VPN will check a different CRL. The VPN concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be checked
on an
IAS remote access policy, this serves no purpose in the VPN context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it matter?
"Client authenticatin" is exactly that. There's nothing further to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Sun Jan 16, 2005 3:39 pm Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
You control enterprise policies that specify trusted certification
authorities. Certificates that are not issued by trusted CAs will not be
used for computer authentication, even if present in the computer personal
store.
Should a computer retry authentication if the computer have multiple trusted
certificates and authentication fails using one of them? I don't know. That
is quite easy to thest though.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:E3AC5B63-A0E9-4AEA-8659-A3DF2517C6BF@microsoft.com...
| Quote: | My biggest issue is that I don't understand the rules which inform the
IPSec
driver's certificate selection.
As another example...
I am concerned that if I get an "orphaned" client authentication
certificate
(from some legacy project or project that I'm not aware of - shouldn't
happen
I know, but it might!) in the computer's certificate store - and it wasn't
issued by a server that chains up to the same root that the ISA VPN
concentrator trust; then if IPSec chose this certificate (valid client
auth.
OID, valid date, etc.) then ISA would reject the authentication process.
I understand where you are coming from in suggesting this is a feature
rather than a bug, but I don't really like "unexpected bonuses" - I want
things to happen by prescribed design.
"S. Pidgorny <MVP>" wrote:
Interesting it is. I mean - I don't completely understand what the
problem
is - the fact that computers can use 802.1x authentication certs also
for
VPN sounds more like feature rather than a bug.
And you might be interested to know about some weakness in 802.1x for
wired
networks - see http://sl.mvps.org/docs/802dot1x.htm
regards
S.
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:20C0E01B-4227-4098-BA76-B5145CE4F4EE@microsoft.com...
Steve,
I have sent the note to secwish. I have added an extra point...
By dropping a client authentication certificate onto the computer for
802.1x
purposes, the VPN client then has sufficient "client authentication"
credentials to present to a VPN concentrator. I cannot see a way
around
limiting this: I may have 50,000 computers which will participate in
802.1x
wired and only 10,000 of that estate should be able to make a VPN.
Yet,
all
50,000 computers could pass the VPN machine authentication "test" by
virtue
of having the 802.1x cert. I know that additional controls around
user
authentication would mitigate this, but IMHO the machine
authentication
piece
is a little compromised.
"Steve Riley [MSFT]" wrote:
Interesting; alas, this isn't something we can do right now. I like
the
idea
though. If you would type up a quick note and send it to
secwish@microsoft.com
that would be great. I'll also forward your note to the RRAS and CA
folks.
Steve Riley
steriley@microsoft.com
A number of reasons...
1. Revocation - The certificates may be issued by different CAs
and
therefore the VPN will check a different CRL. The VPN
concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance
policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be
checked
on an
IAS remote access policy, this serves no purpose in the VPN
context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by
design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it
matter?
"Client authenticatin" is exactly that. There's nothing further
to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN
client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate
client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the
VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
Dave W
Guest
|
| Posted:
Sun Jan 16, 2005 6:47 pm Post subject:
Re: MS CM VPN Client Certificate Selection |
|
|
If you are implying that the IPSec driver will not select a client
authentication certificate that doesn't chain to a trusted root then this
mitigates my concerns.
Many thanks.
Dave
"S. Pidgorny <MVP>" wrote:
| Quote: | You control enterprise policies that specify trusted certification
authorities. Certificates that are not issued by trusted CAs will not be
used for computer authentication, even if present in the computer personal
store.
Should a computer retry authentication if the computer have multiple trusted
certificates and authentication fails using one of them? I don't know. That
is quite easy to thest though.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:E3AC5B63-A0E9-4AEA-8659-A3DF2517C6BF@microsoft.com...
My biggest issue is that I don't understand the rules which inform the
IPSec
driver's certificate selection.
As another example...
I am concerned that if I get an "orphaned" client authentication
certificate
(from some legacy project or project that I'm not aware of - shouldn't
happen
I know, but it might!) in the computer's certificate store - and it wasn't
issued by a server that chains up to the same root that the ISA VPN
concentrator trust; then if IPSec chose this certificate (valid client
auth.
OID, valid date, etc.) then ISA would reject the authentication process.
I understand where you are coming from in suggesting this is a feature
rather than a bug, but I don't really like "unexpected bonuses" - I want
things to happen by prescribed design.
"S. Pidgorny <MVP>" wrote:
Interesting it is. I mean - I don't completely understand what the
problem
is - the fact that computers can use 802.1x authentication certs also
for
VPN sounds more like feature rather than a bug.
And you might be interested to know about some weakness in 802.1x for
wired
networks - see http://sl.mvps.org/docs/802dot1x.htm
regards
S.
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:20C0E01B-4227-4098-BA76-B5145CE4F4EE@microsoft.com...
Steve,
I have sent the note to secwish. I have added an extra point...
By dropping a client authentication certificate onto the computer for
802.1x
purposes, the VPN client then has sufficient "client authentication"
credentials to present to a VPN concentrator. I cannot see a way
around
limiting this: I may have 50,000 computers which will participate in
802.1x
wired and only 10,000 of that estate should be able to make a VPN.
Yet,
all
50,000 computers could pass the VPN machine authentication "test" by
virtue
of having the 802.1x cert. I know that additional controls around
user
authentication would mitigate this, but IMHO the machine
authentication
piece
is a little compromised.
"Steve Riley [MSFT]" wrote:
Interesting; alas, this isn't something we can do right now. I like
the
idea
though. If you would type up a quick note and send it to
secwish@microsoft.com
that would be great. I'll also forward your note to the RRAS and CA
folks.
Steve Riley
steriley@microsoft.com
A number of reasons...
1. Revocation - The certificates may be issued by different CAs
and
therefore the VPN will check a different CRL. The VPN
concentrator
may not
be able to reach the CRL for the 802.1x cert.
2. Issuance policy - The 802.1x will have a "lower" issuance
policy
than the
VPN computer cert. and shouldn't be used in a VPN context.
Additionally, the
802.1x cert will have a custom application OID which will be
checked
on an
IAS remote access policy, this serves no purpose in the VPN
context
and
shouldn't be used.
3. Troubleshooting - I don't want to be guessing at which cert. is
presented
to the VPN concentrator.
Generally, I want the VPN client to select a certificate by
design,
rather than by chance.
Regards,
"Steve Riley [MSFT]" wrote:
If every computer will have both certificates, why does it
matter?
"Client authenticatin" is exactly that. There's nothing further
to
specify.
Steve Riley
steriley@microsoft.com
Is there a way of enforcing the certificate that the MS VPN
client
uses for L2TP?
I've a Win2K3 CA and XP clients... I am deploying separate
client
computer certificates for 802.1X and L2TP, each will posses the
client authentication OID (1.3.6.1.5.5.7.3.2).
I want the MS Connection Manager VPN connectoid to select the
VPN
certificate and not the 802.1x certificate.
Is there any way to enforce the certificate selection?
Thanking you in advance,
Dave
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in