• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Certificate filtering

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List >> Certificate filtering Page: [1]
Login
Message << Older Topic   Newer Topic >>
Certificate filtering - 15.Jun.2005 5:20:00 AM   
frbee

 

Posts: 8
Joined: 8.Jul.2004
Status: offline
Hi,

I've already implemented ISA server as VPN server using L2TP with certificates. It would be nice if ISA server could filter on certain certificate fields like the subject or EKU field.

When we implemented ISA server as a VPN server, our customer wanted to use commercial computer certificates. The problem here is that if ISA server trust the root CA, all computer certificates, issued by this CA are trusted. So it would be nice filter on certain fields.
Post #: 1
RE: Certificate filtering - 26.Jun.2005 10:26:00 AM   
Rickymag

 

Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
Interesting request this would be useful [Smile]

RM

(in reply to frbee)
Post #: 2
RE: Certificate filtering - 28.Jun.2005 4:53:00 AM   
frbee

 

Posts: 8
Joined: 8.Jul.2004
Status: offline
Another interesting feature would be that L2TP tunnels could be set up between a user and a ISA server instead of a computer and the ISA server.

I'm from belgium and here we are in the depoyment phase of EID cards. So our Identity card are containing digital certificates issued by CertiPost.

When setting up a VPN (L2TP) connection to the ISA server, you can only select cetificates from the computer certificate store. It would be nice if you could select certificates from the user store. It would allow us to use our EiD card which we always have with us, to set up a VPN connection.

(in reply to frbee)
Post #: 3
RE: Certificate filtering - 28.Jun.2005 2:48:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kabouter Plop,

by design, a double authentication happens with L2TP/IPSec. First of all the machine is authentication as part of the IPSec negotiation (computer certificate or preshared key). Next you can strongly authenticate the user on the L2TP level (EAP authentication) with a smartcard.

BTW --- strong user authentication with a smartcard is also possible with PPTP. However, no machine authentication happens here.

HTH,
Stefaan

(in reply to frbee)
Post #: 4
RE: Certificate filtering - 29.Jun.2005 3:28:00 PM   
Rickymag

 

Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
Kabouter Plop,

Sounds like an application that can be developed for ISA that will really enhance its features I am dealing with a great Russian Developer and will ask him about this I am not sure if he has any Cert experience. But I like this suggestion [Smile] It adds much functionality to ISA.

RM

(in reply to frbee)
Post #: 5
RE: Certificate filtering - 30.Jun.2005 2:54:00 AM   
frbee

 

Posts: 8
Joined: 8.Jul.2004
Status: offline
Hi Spouseele,

I understand what you mean with the double authentication but my problem is that I have to install an additional certificate on my machine. (So I have to deploy a PKI...)
On my identity card, I have already a certificate for free so I want to use that to setup the IPSEC communciation.
I understand that IPSEC normally set up between machines and do not know if the RFC allows you to set it up between a user and an ISA server.

PPTP with EAP is a nice alternative, although PPTP was not very secure in the past. I do not know the latest status on this. But does anyone know if the encryption used by PPTP is really secure?

I already want to thank you for your previous comment.

Kind Regards,

Kabouter Plop

(in reply to frbee)
Post #: 6
RE: Certificate filtering - 30.Jun.2005 4:20:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kabouter Plop,

the eID card is all about user identity not machine identity. Because the IPSec part in L2TP/IPSec is all about authenticating the machine by design, the eID will never work for that! [Wink]

In our policy, VPN users and machines must be under our administrative control and therefore be domain members. That means that we can use automatic roll-out and renewal of computer certificates if you use an AD integrated certificate services. That is very easy to setup.

What about using eID cards for user authentication? Theoretically it should work for the L2TP part in L2TP/IPSec and PPTP (both can use EAP-TLS). I haven't tried it yet but I think the challenge is how do you map the eID card user to a domain user? I know that Microsoft has much interest to do some development for the eID card. However, nothing concrete as far as I know unless W2K3-R2 would have some new features in that respect (AD federation?). There is a rumour that Telindus has something developed for using the eID card to logon to Windows (modified GINA?) but I didn't see it yet.

It is a misconception that PPTP nowadays have some bad design problems. That's not true, the problems were fixed about a seven years ago. What is true is that by design PPTP can not deliver the same protection level as IPSec but that's another story. Also, the encryption key strenght is depending on the password used. So, using a strong password and password scheme (at least MSCHAPV2) is a must. The best protection you can get is if you use EAP-TLS authentication with certificates (e.g. smartcards). In that case the encryption keys are derived from the TLS negotiation and they are always strong.

HTH,
Stefaan

(in reply to frbee)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List >> Certificate filtering Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts