Sign in
 
HomeWindows 8Windows 7Windows VistaWindows XPMDOPWindows IntuneLibraryForums
Note: Forums will be making significant UX changes to address key usability improvements surrounding search, discoverability and navigation. To learn more about these changes please visit the announcement which can be found HERE.
Windows Client >
windows 7 native VPN client - how does it select a certificate?

Unanswered windows 7 native VPN client - how does it select a certificate?

  • Monday, June 04, 2012 11:02 PM
     
     
    Sign In to Vote
    0

    Hello,

    I am testing the Win 7 Agile VPN client (aka native Windows VPN client) using L2TP over IPsec VPN, using certificates and RADIUS (AD). It's working well overall.

    One issue. On some clients, I see - inconsistently - if a client has multiple local computer certificates, sometimes the VPN client selects the wrong certificate to connect to the VPN. In the GUI, command line, or registry, I see no way to tell the client which certificate to use. Two questions: 1) how does the client select which certificate to use... 2) is there a way to force the client to use a certain certificate? 

    This is a Win7x64 environment. Thanks.


     

All Replies

  • Tuesday, June 05, 2012 8:39 PM
     
     
    Sign In to Vote
    0

    I discovered part of the problem. The Agile VPN client seems to "skip" a certificate if the subject name includes a DN. So, by using a DN in the subject name and using DNS in the SAN field, I've gotten the needed functionality out of the system. 

    The only issue left now is that - strangely - an auto-enrolled certificate from the same template as a manually enrolled certificate does not authenticate correctly? The manually enrolled certificate does not allow for any options to be set. Any ideas?

    Cheers.

     
  • Wednesday, June 06, 2012 2:20 PM
     
     
    Sign In to Vote
    0
    Hi,
     
    May I know what edition of your Windows Server?   Here is a guide on RADIUS authentication can be referred to. Please pay attention to the "configure an authentication method".
     
    Basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication
    http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

    Ivan-Liu

    TechNet Community Support

     
  • Saturday, June 09, 2012 9:20 PM
     
     
    Sign In to Vote
    0

    Hello Ivan,

    Thanks for the response; the scenario is: W7 clients using the Agile VPN client to do L2TP over IPsec to a firewall product. The firewall product is not Windows. The firewall does RADIUS against WS2k8R2 Standard.

    When the client dials up, I clearly see in the firewall logs that the IPsec portion does not initiate due to the wrong certificate. So, it is not a RADIUS issue, as the client does not proceed on to the L2TP portion.  

    Again, this issue only pops up for *some* clients that have multiple certificates. Other clients with multiple certificates work fine. If a client has only the necessary certificate for VPN, 100% of clients do not have any problem. If a client has several certificates, maybe, 25% have a problem. In the latter pool, when I compare a client with several certs that works vs a client with several certs that doesn't work, I don't see any appreciable difference; they have the same set of certificates... and the certificate policies are auto-enrolled. Je ne comprends pas.