TMG and L2TP/IPSec - revoked computer certificte, clients still can connect


  • I have trouble with configuring IPSec/L2TP VPN connection.

    Network topology is as follow:

    I have an AD Domain, my DC is configured also as NPS Server, but I do not use NAP functionality. On another machine I installed a TMG server- the server is equipped with two NICs- one to connect to ISP, and second to my Internal network; TMG is a domain member. I enabled and configured VPN client access on my TMG, enabling only L2TP/IPSec protocol, and configured TMG to use my DC as RADIUS server for authentication. In this AD domain I have PKI deployed.

    Now, using PKI/CA I issue a computer certificate for external (not domain member) computer from my CA, and imported this certificate on local computer certificate store in “Personal”, and also imported my CA’s root certificate in “Trusted Root” local computer certificate store.

    I configured the client with new VPN connection, and setting to use only L2TP/IPSec; in authentication section I choose “EAP”, and in properties I choose “Secured password EAP-MSCHAP v2”. Corresponding policies are created on my NPS server.

    All works fine! I can connect to my VPN Server, authenticate, and access internal resources.

    Now I revoke the issued computer certificate from my CA. For my surprise, this not preventing a user to connect to VPN from this computer (with revoked computer certificate). I try to generate a delta and full CRL, clear a CRL cache on my DC but with no success.

    Please, help me with this- I want when I revoke a computer certificate, this action to prevent users to connect to VPN from this “untrusted” computer.

    Monday, February 04, 2013 2:46 PM