W2003 / XP smartcard vpn with Quarantine


Dave Taylor

Hi all,

I'm shortly to run out of walls to bang my head on ! If anyone can help me
with this to preserve my sanity, I'd be forever in their debt ...

Our setup:
Windows2003 Active directory (2000 native mode)
Windows2003 CA's.
iKey3000 usb pki token
Windows 2003 RRAS & Windows 2003 IAS (radius server)
Clients running Windows XP
All servers/clients patched to most recent levels (including Q818043 on
Microsoft 'Quarantine' system of rqs/rqc running ...

For info, the vpn system is l2tp. Smartcard certificates are stored on the
usb token.

We have made a cmak (connection manager admin kit) connection profile for
users to connect to our vpn system. The user simply hits "connect" and is
asked for their token password. Fine. What then happens is that (post
connect) the first time the user connects is any way to a system on the
network (eg accesses a network drive, or accesses outlook etc.) their client
pc asks them again for the same smartcard password. Once these have been
entered, the client has full access to whatever they should have.

Why should this happen ? More importantly (for us) is 'can this be switched
off ?' - ie we believe the user should only have to enter their password to
the token once (at the "connect" stage) and then this should be passed
through to the network.

Anyone have any ideas how we can do this ? or, any suggestions as to where
the problem might lie ? (rqc / token middleware / RRAS)

If the problem seems trivial - it isn't to us - as we'll have approx 600
sales guys connecting with this system soon - and not all of them are very
computer literate. As the tokens only allow a certain number of failed
logins before locking, we really do need to avoid any potential situations
where this could occur.

My Observations:
- rqc seems (looking at the radius event viewer) to log people into
domain\user as opposed to (e-mail address removed) - I'm not sure if this is
- The first connection from the authenticated user to the network doesn't
appear to be made by the (e-mail address removed) information held in the subject of
the certificate stored on the token. Looking at the security log of the
server it tries to connect to, it looks like the access is made by "NT

Thanks in advance for any comments



Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question