Cisco VPN3K and MS CA CRL?
Pete Davis
pete at ETHER.NET
Thu Apr 26 16:10:18 EDT 2001
> > * We've managed to create a Certificate Revocation List (CRL) on the
> > sub CA, and we've tried to enable CRL checking on the VPN3K.
> > Any way we can check whether the VPN3K actually gets the CRL?
If CRL checking is enabled, users will not be able to authenticate without the
VPN 3K getting the CRL. You can turn up CERT/CERTDBG/CERTDECODE and LDAP
debugging to levels 1-13 temporarily to verify that this is happening.
> > We can tell it ain't working since our clients can no longer validate when
> > we enable CRL checking, but we've got no clue as to why the CRL check
> > fails.
Turn on the above logging, this will provide some clue as to what is going on.
> > * In the Cisco VPN Client you can either choose a group name and
> > password (shared secret) or a certifcate as authentication method.
> > Choosing the latter automatically puts the user in the base group when
> > they log into the VPN3K.
> > How can I both use certificates and split users into separate groups?
> > I'd like to be able to split my users into groups, and specifically apply
> > group filters to external users.
If an OU exists in the Certificate, a user will be assigned permissions from
that particular group. This would include things such as a filter that was
assigned to the group.
--p
---
Pete Davis - Product Manager (508) 541-7300 x6154
Cisco Systems, Inc. - 38 Forge Park Franklin, MA 02038
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list