Problem with Cisco VPN3K and RSA certificates with OU=group
Lawaetz, Erik
ELAW at DR.DK
Thu May 10 10:30:25 EDT 2001
I'm working on a Cisco VPN3K (version 3.0) using the CiscoVPNclient (3.0).
The clients and the VPN3K all have RSA 1024 bit certificates from the same
Sub-CA.
I use Radius for simple user authentication, but I'm not using the "group
lock" feature.
When users log in thru' the Base Group everything works fine.
The group I've defined in the VPN3K inherits everything from the Base Group.
When users log in with a certificate with OU=group on the VPN3K, then the
IKE phase 1 negotiation fails.
They run thru' all 11 predefined IKE proposals, without ever reaching
agreement.
I'm aware that I can prioritize IKE proposals in the VPN3K, but that doesn't
seem to have any effect.
--Erik
---------------------------------
Erik Lawaetz
Danish Broadcasting Corporation
TV-Byen
DK 2860 Søborg
Denmark
Phone: +45 3520 2846
Fax: +45 3520 2050
http://www.dr.dk/
http://www.lawaetz.dk/
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list