topic Re: VPN client mutual group authentication -- restrict root cert in Network Access Control

VPN client mutual group authentication -- restrict root cert

fanheuser — Fri, 21 Feb 2020 18:14:06 GMT

On a VPN client configured for mutual group authentication to a VPN 3000 headend, is it possible to restrict which root certificate is matched against the VPN concentrator's identity certificate?

Background: multiple CA root certificates are installed on the VPN client for other reasons, but only one CA should be used for the VPN mutual group authentication.

Re: VPN client mutual group authentication -- restrict root cert

ebreniz — Wed, 11 Jan 2006 16:56:06 GMT

As far as I know, there is no option to define this on the VPN client. May be the VPN client tries to match the certificate in the order listed on the client. I am not sure of this, though you can try placing the certificate on the top of the list.

Re: VPN client mutual group authentication -- restrict root cert

fanheuser — Fri, 13 Jan 2006 09:18:31 GMT

Ordering the list does not help, because I want only to match against certain of all installed root certificates.

Thanks nevertheless ... in the meantime, I found something:

-- VPN client version 4.0.5: no restriction possible, only the certificate store used for matching can be defined (Microsoft, Cisco)

-- VPN client 4.6 and later: with the "VerifyCertDN" keyword in the connection profile, this can be done.

The connection profile attributes "CertName" or "CertSubjectName" are apparently not checked for this type of authentication.