• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of article on site to site VPN with EAP User Auth

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of article on site to site VPN with EAP User Auth Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion of article on site to site VPN with EAP User... - 17.Oct.2004 8:26:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on site to site VPN configs using EAP user auth for the calling VPN gateway at http://www.isaserver.org/articles/2004s2seapauth.html

HTH,
Tom

[ October 18, 2004, 12:04 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of article on site to site VPN with EAP ... - 20.Oct.2004 9:49:00 AM   
macrus

 

Posts: 58
Joined: 8.Feb.2002
From: Poland
Status: offline
Hi Tom,
So I have one thing I wasn't yet be able to solve: the CN on certificate you map to calling router's account.

My configuration is a bit diffrent here - both routers (ISAs) are in the same AD and already do have (rather had...) VPN between them authenticated by MS-CHAPv2. I just have to change auth. to EAP (why? It's in another topic). Machine certificates are issued automatically so I only had to export them and map to the opposite end's domain account. And it did not work, saying that user/pwd is wrong.

After some longer investigation I found out that not only the calling account's name has to be the same as DoD interface name, but also the CN on caller's certificate must match it. And when you get machine cert the normal way, cert's CN equals machine fqdn...

I finally solved the problem by manually enrolling "Router (offline request)" certificates for both machines with CN name the same as account and DoD name. And this config worked.

Does it have to be like this ? Isn't it enough to map the certificate to the proper account? If it's mapped - then I suppose it should "translate" the cert to the account and then "match" it with DoD name. But it does not seem to do that...

cheers

(in reply to tshinder)
Post #: 2
RE: Discussion of article on site to site VPN with EAP ... - 26.Oct.2004 6:03:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Maciej,

As long as the name on the demand dial interface is *exactly the same* as the name on the calling VPN gateway's certificate, it will work. That's the nature of the RRAS demand-dial routing/interfaces.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of article on site to site VPN with EAP ... - 27.Feb.2005 1:22:00 PM   
krypto9t

 

Posts: 13
Joined: 1.Dec.2003
Status: offline
Tom,

Is there a document for doing this using ISA 2000?

(in reply to tshinder)
Post #: 4
RE: Discussion of article on site to site VPN with EAP ... - 27.Feb.2005 7:37:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Krypt,

You bet. Its all in the ISA 2000 VPN Deployment Kit.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of article on site to site VPN with EAP ... - 24.Jul.2005 3:23:00 PM   
Guest
Ok... I'm at a loss.

I have a remote site running RRAS, and head office running ISA2k4. The calling server has a computer certificate already. Let's say server name is callingserv.company.local.

I've tried setting the interface names at both sides to "callingserv" and to "callingserv.company.local" and there is an AD account with the callingserv certificate mapped (an AD account with the short name and fqdn). Still comes back bad username/password and the ISA logs "IAS_NO_SUCH_USER".

Very frustrating.

Thoughts?

(in reply to tshinder)
  Post #: 6
RE: Discussion of article on site to site VPN with EAP ... - 25.Jul.2005 6:22:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Brian,

Looks like you're using IAS -- use Windows auth. You need to make the ISA firweall a domain member (no problem with that, since its a best practice around here).

HTH,
Tom

(in reply to tshinder)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of article on site to site VPN with EAP User Auth Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts