Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
1
Replies

Access control in Altiga based on users full DN.

jan-jorgensen
Level 1
Level 1

‎12-20-2000 07:20 AM - edited ‎03-08-2019 07:53 PM

We are testing remote access based on Cisco VPN Concentrator 3005 and VPN 3000 client v. 2.5.2.

We have set up a CA for issuing the certificates and a directory for CRL.

In order to distinguish between the different groups of users we use the mechanism, which maps user certificate "ou"-field to groups on the 3005.

The setup is this we have a user with certificate DN:

cn=John Doe, ou=Networking, o=Tele Danmark, c=DK

which gets the right on the 3005 according to the "Networking" group.

BUT a user with DN:

cn=Evil Alice, ou=Networking, o=Telia, c=DK

gets the same right when trying to access the 3005.

A prerequisite for Alice to gain unauthorized access seems to be that she can get a certificate from the same CA and with the right "ou"-field.

This is not a desired functionality - it would be nice if the groups on the 3005 were defined on the basis on the following instead of "ou"-field only:

1) Issuing CA

2) Full RDN (Relative DN), e.g. in the example above that the group was identified by

ou=Networking, o=Tele Danmark, c=DK

Labels:
0 Helpful
1 Reply 1

wdrootz
Level 4
Level 4

‎12-28-2000 06:40 AM

It’s my understanding you can file enhancement requests to check other certificate fields through your Cisco rep. At this point I think it only checks OU for a match and the cert validity whether it’s expired or not. By requesting for a product enhancement you’ll be given a bug id that you can track. When you get the bug id, be sure to post it on the board so we can all track it.

0 Helpful
Customers Also Viewed These Support Documents