3015 needs to authenticate PCs before permiiting access

rob.wright · ‎10-11-2002

Can I use a MS certificate server to authenticate PCs going through a 3015 VPN concentrator? The need is to ensure that we only allow approved PCs through the link. Using a shared secret is not enough because an end user that knows the shared secret can load the vpn client on another box and configure to connect.

Any help would be greatly appreciated.

Thanks.

edadios · ‎10-11-2002

You can use certificates for authenticaqtion instead of pre-shared keys, if that is what you meant :

http://www.cisco.com/warp/public/471/installboth.html .

Regards,

nick.garigliano · ‎10-14-2002

Yes you can, but the CA must be a Certificate server in an AD domain. The concentrator does an LDAP lookup to AD.

rob.wright · ‎10-17-2002

Thanks for the reply. So a standalone Win2000 server running as a CA will not work? This is pretty helpful as we are also ramping up to AD right now, I will have to make sure this is available prior to my implementation.

Any documentation on this specific subject? Any links?

Thanks Again.

nick.garigliano · ‎10-17-2002

If I remember correctly, it was about a year ago, the concentrator uses LDAP to check the CRL and the only way to get a MS CA to respond to an LDAP lookup is to have the CA on an AD Domain Controller. You also need to enable LDAP on your interface filters.