Cisco VPN3K and MS CA CRL?
Lawaetz, Erik
ELAW at DR.DK
Thu Apr 26 08:07:37 EDT 2001
> We're working on a setup with a Cisco VPN 3000 concentrator (running
> version 3.0.1)
> and two Windows 2000 CA servers (root and sub CA).
> We wish to supply all VPN clients with certificates and verify them both
> based on certificates and Radius.
> We're using the Cisco VPN Client version 3.0.
> We plan to take the root CA offline and rely solely on the sub CA.
> Does anyone have experience with such a setup?
>
> Currently we can basically connect but I've got a few questions regarding
> the use of certificates:
> * We've managed to create a Certificate Revocation List (CRL) on the
> sub CA, and we've tried to enable CRL checking on the VPN3K.
> Any way we can check whether the VPN3K actually gets the CRL?
> There seems to be no way one can verify it on the box, and little/no debug
> info.
> We can tell it ain't working since our clients can no longer validate when
> we enable CRL checking, but we've got no clue as to why the CRL check
> fails.
> * In the Cisco VPN Client you can either choose a group name and
> password (shared secret) or a certifcate as authentication method.
> Choosing the latter automatically puts the user in the base group when
> they log into the VPN3K.
> How can I both use certificates and split users into separate groups?
> I'd like to be able to split my users into groups, and specifically apply
> group filters to external users.
>
> --Erik
>
> ---------------------------------
> Erik Lawaetz
> Danish Broadcasting Corporation
> http://www.dr.dk/
> http://www.lawaetz.dk/
>
>
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list