I am testing the Win 7 Agile VPN client (aka native Windows VPN client) using L2TP over IPsec VPN, using certificates and RADIUS (AD). It's working well overall.
One issue. On some clients, I see - inconsistently - if a client has multiple local computer certificates, sometimes the VPN client selects the wrong certificate to connect to the VPN. In the GUI, command line, or registry, I see no way to tell the client which certificate to use. Two questions: 1) how does the client select which certificate to use... 2) is there a way to force the client to use a certain certificate?
This is a Win7x64 environment. Thanks.
I discovered part of the problem. The Agile VPN client seems to "skip" a certificate if the subject name includes a DN. So, by using a DN in the subject name and using DNS in the SAN field, I've gotten the needed functionality out of the system.
The only issue left now is that - strangely - an auto-enrolled certificate from the same template as a manually enrolled certificate does not authenticate correctly? The manually enrolled certificate does not allow for any options to be set. Any ideas?
May I know what edition of your Windows Server? Here is a guide on RADIUS authentication can be referred to. Please pay attention to the "configure an authentication method".
Basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication
TechNet Community Support
Thanks for the response; the scenario is: W7 clients using the Agile VPN client to do L2TP over IPsec to a firewall product. The firewall product is not Windows. The firewall does RADIUS against WS2k8R2 Standard.
When the client dials up, I clearly see in the firewall logs that the IPsec portion does not initiate due to the wrong certificate. So, it is not a RADIUS issue, as the client does not proceed on to the L2TP portion.
Again, this issue only pops up for *some* clients that have multiple certificates. Other clients with multiple certificates work fine. If a client has only the necessary certificate for VPN, 100% of clients do not have any problem. If a client has several certificates, maybe, 25% have a problem. In the latter pool, when I compare a client with several certs that works vs a client with several certs that doesn't work, I don't see any appreciable difference; they have the same set of certificates... and the certificate policies are auto-enrolled. Je ne comprends pas.