[nsp] Cisco VPN3K and MS CA CRL?

From: ELAW@dr.dk
Date: Wed Apr 25 2001 - 17:35:20 EDT


We're working on a setup with a Cisco VPN 3000 concentrator (running version
3.0.1) and two Windows 2000 CA servers (root and sub CA).
We wish to supply all VPN clients with certificates and verify them both
based on certificates and Radius. We're using the Cisco VPN Client version
3.0.
We plan to take the root CA offline and rely solely on the sub CA. Does
anyone have experience with such a setup?

Currently we can basically connect but I've got a few questions regarding
the use of certificates:
* We've managed to create a Certificate Revocation List (CRL) on the
sub CA, and we've tried to enable CRL checking on the VPN3K.
Any way we can check whether the VPN3K actually gets the CRL?
There seems to be no way one can verify it on the box, and little/no debug
info.
We can tell it ain't working since our clients can no longer validate when
we enable CRL checking, but we've got no clue as to why the CRL check fails.
* In the Cisco VPN Client you can either choose a group name and
password (shared secret) or a certifcate as authentication method.
Choosing the latter automatically puts the user in the base group when they
log into the VPN3K.
How can I both use certificates and split users into separate groups?
I'd like to be able to split my users into groups, and specifically apply
group filters to external users.

--Erik

---------------------------------
Erik Lawaetz
Danish Broadcasting Corporation
http://www.dr.dk/
http://www.lawaetz.dk/



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:35 EDT