Hi Tom, So I have one thing I wasn't yet be able to solve: the CN on certificate you map to calling router's account.
My configuration is a bit diffrent here - both routers (ISAs) are in the same AD and already do have (rather had...) VPN between them authenticated by MS-CHAPv2. I just have to change auth. to EAP (why? It's in another topic). Machine certificates are issued automatically so I only had to export them and map to the opposite end's domain account. And it did not work, saying that user/pwd is wrong.
After some longer investigation I found out that not only the calling account's name has to be the same as DoD interface name, but also the CN on caller's certificate must match it. And when you get machine cert the normal way, cert's CN equals machine fqdn...
I finally solved the problem by manually enrolling "Router (offline request)" certificates for both machines with CN name the same as account and DoD name. And this config worked.
Does it have to be like this ? Isn't it enough to map the certificate to the proper account? If it's mapped - then I suppose it should "translate" the cert to the account and then "match" it with DoD name. But it does not seem to do that...
RE: Discussion of article on site to site VPN with EAP ... - 24.Jul.2005 3:23:00 PM
Ok... I'm at a loss.
I have a remote site running RRAS, and head office running ISA2k4. The calling server has a computer certificate already. Let's say server name is callingserv.company.local.
I've tried setting the interface names at both sides to "callingserv" and to "callingserv.company.local" and there is an AD account with the callingserv certificate mapped (an AD account with the short name and fqdn). Still comes back bad username/password and the ISA logs "IAS_NO_SUCH_USER".