I've already implemented ISA server as VPN server using L2TP with certificates. It would be nice if ISA server could filter on certain certificate fields like the subject or EKU field.
When we implemented ISA server as a VPN server, our customer wanted to use commercial computer certificates. The problem here is that if ISA server trust the root CA, all computer certificates, issued by this CA are trusted. So it would be nice filter on certain fields.
Another interesting feature would be that L2TP tunnels could be set up between a user and a ISA server instead of a computer and the ISA server.
I'm from belgium and here we are in the depoyment phase of EID cards. So our Identity card are containing digital certificates issued by CertiPost.
When setting up a VPN (L2TP) connection to the ISA server, you can only select cetificates from the computer certificate store. It would be nice if you could select certificates from the user store. It would allow us to use our EiD card which we always have with us, to set up a VPN connection.
by design, a double authentication happens with L2TP/IPSec. First of all the machine is authentication as part of the IPSec negotiation (computer certificate or preshared key). Next you can strongly authenticate the user on the L2TP level (EAP authentication) with a smartcard.
BTW --- strong user authentication with a smartcard is also possible with PPTP. However, no machine authentication happens here.
Sounds like an application that can be developed for ISA that will really enhance its features I am dealing with a great Russian Developer and will ask him about this I am not sure if he has any Cert experience. But I like this suggestion It adds much functionality to ISA.
I understand what you mean with the double authentication but my problem is that I have to install an additional certificate on my machine. (So I have to deploy a PKI...) On my identity card, I have already a certificate for free so I want to use that to setup the IPSEC communciation. I understand that IPSEC normally set up between machines and do not know if the RFC allows you to set it up between a user and an ISA server.
PPTP with EAP is a nice alternative, although PPTP was not very secure in the past. I do not know the latest status on this. But does anyone know if the encryption used by PPTP is really secure?
I already want to thank you for your previous comment.
the eID card is all about user identity not machine identity. Because the IPSec part in L2TP/IPSec is all about authenticating the machine by design, the eID will never work for that!
In our policy, VPN users and machines must be under our administrative control and therefore be domain members. That means that we can use automatic roll-out and renewal of computer certificates if you use an AD integrated certificate services. That is very easy to setup.
What about using eID cards for user authentication? Theoretically it should work for the L2TP part in L2TP/IPSec and PPTP (both can use EAP-TLS). I haven't tried it yet but I think the challenge is how do you map the eID card user to a domain user? I know that Microsoft has much interest to do some development for the eID card. However, nothing concrete as far as I know unless W2K3-R2 would have some new features in that respect (AD federation?). There is a rumour that Telindus has something developed for using the eID card to logon to Windows (modified GINA?) but I didn't see it yet.
It is a misconception that PPTP nowadays have some bad design problems. That's not true, the problems were fixed about a seven years ago. What is true is that by design PPTP can not deliver the same protection level as IPSec but that's another story. Also, the encryption key strenght is depending on the password used. So, using a strong password and password scheme (at least MSCHAPV2) is a must. The best protection you can get is if you use EAP-TLS authentication with certificates (e.g. smartcards). In that case the encryption keys are derived from the TLS negotiation and they are always strong.