Machine Certificates for L2TP/IPSEC

W

Wil

Hi,

I have set up a test lab with 3 computers and one Server.
One of the computers was set up as a certificate server
(Stand alone) and the Server was set up to do L2TP/Ipsec.
The 4 computers are not in a domain. Everything works
fine. For L2TP/IPSEC machine certificates are needed to be
installed on both the client PC and the VPN Server. What I
am trying to do is make sure that for every user that is
meant to access the VPN server a machine certificate is
installed on both the server and the client pc are
installed so that in case the user's Laptop gets stolen
then all what needs to be done is delete the certificate
for that user from the VPN server. I need ideas on how to
go about doing that? How do I associate a certain MACHINE
CERTIFICATE with a particular user?

Help would be greatly appreciated.
Thanks
 
S

Steven L Umbach

You can't really associate a machine certificate with a user. You can restrict who
can log onto a computer via user right assignments. Certificates are not deleted from
a CA, they are revoked and published in the CRL which is available to users/computer
via a share or download via Certificate Web Services. A bigger concern is that users
not be allowed to save their logon credentials for vpn logon via the vpn client
connection. If a laptop is stolen, it is fairly easy to reset the administrators
password and if the vpn logon credentials are saved, bingo they are in your network.
You may want to activate a boot/hard disk access password on the laptops if they can
be configured, but if that password is lost then you probably need to send the laptop
to the manufacturer to have it reset. See related links below. ---Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;313281
 
L

loeki

-----Original Message-----
Hi,

I have set up a test lab with 3 computers and one Server.
One of the computers was set up as a certificate server
(Stand alone) and the Server was set up to do L2TP/Ipsec.
The 4 computers are not in a domain. Everything works
fine. For L2TP/IPSEC machine certificates are needed to be
installed on both the client PC and the VPN Server. What I
am trying to do is make sure that for every user that is
meant to access the VPN server a machine certificate is
installed on both the server and the client pc are
installed so that in case the user's Laptop gets stolen
then all what needs to be done is delete the certificate
for that user from the VPN server. I need ideas on how to
go about doing that? How do I associate a certain MACHINE
CERTIFICATE with a particular user?

Help would be greatly appreciated.
Thanks

.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

When do ad certificates get renewed 4
L2TP/IPSec Computer Certificates for non domain computers 5
l2tp/ipsec 7
IPSEC\L2TP issue 4
Using Certificates with IPSEC 4
L2TP/IPSec using OpenSSL generated machine certificate 0
L2TP IPSec error 789 & 792 0
Certificates for l2tp VPN 5

Top