登录
 
主页技术资源库学习下载支持社区论坛
IT 专业人士的资源 >
windows 7 native VPN client - how does it select a certificate?

Unanswered windows 7 native VPN client - how does it select a certificate?

  • 2012年6月4日 23:02
     
     
    登录进行投票
    0

    Hello,

    I am testing the Win 7 Agile VPN client (aka native Windows VPN client) using L2TP over IPsec VPN, using certificates and RADIUS (AD). It's working well overall.

    One issue. On some clients, I see - inconsistently - if a client has multiple local computer certificates, sometimes the VPN client selects the wrong certificate to connect to the VPN. In the GUI, command line, or registry, I see no way to tell the client which certificate to use. Two questions: 1) how does the client select which certificate to use... 2) is there a way to force the client to use a certain certificate? 

    This is a Win7x64 environment. Thanks.


     

全部回复

  • 2012年6月5日 20:39
     
     
    登录进行投票
    0

    I discovered part of the problem. The Agile VPN client seems to "skip" a certificate if the subject name includes a DN. So, by using a DN in the subject name and using DNS in the SAN field, I've gotten the needed functionality out of the system. 

    The only issue left now is that - strangely - an auto-enrolled certificate from the same template as a manually enrolled certificate does not authenticate correctly? The manually enrolled certificate does not allow for any options to be set. Any ideas?

    Cheers.

     
  • 2012年6月6日 14:20
     
     
    登录进行投票
    0
    Hi,
     
    May I know what edition of your Windows Server?   Here is a guide on RADIUS authentication can be referred to. Please pay attention to the "configure an authentication method".
     
    Basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication
    http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

    Ivan-Liu

    TechNet Community Support

     
  • 2012年6月9日 21:20
     
     
    登录进行投票
    0

    Hello Ivan,

    Thanks for the response; the scenario is: W7 clients using the Agile VPN client to do L2TP over IPsec to a firewall product. The firewall product is not Windows. The firewall does RADIUS against WS2k8R2 Standard.

    When the client dials up, I clearly see in the firewall logs that the IPsec portion does not initiate due to the wrong certificate. So, it is not a RADIUS issue, as the client does not proceed on to the L2TP portion.  

    Again, this issue only pops up for *some* clients that have multiple certificates. Other clients with multiple certificates work fine. If a client has only the necessary certificate for VPN, 100% of clients do not have any problem. If a client has several certificates, maybe, 25% have a problem. In the latter pool, when I compare a client with several certs that works vs a client with several certs that doesn't work, I don't see any appreciable difference; they have the same set of certificates... and the certificate policies are auto-enrolled. Je ne comprends pas.