Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 16, 2016 11:38 AM
We use SSTP in our environment to establish VPN connections to our company. For authentication we use PEAP which uses a server certificate that we have created for this purpose. This one server certificate is used for all the VPN connections, but we wonder if it's also possible to enforce a client certifcate on top of this certificate authentication. Then we can revoke client certificates to disallow clients from connecting to our network.
All replies (9)
Wednesday, November 16, 2016 5:17 PM
You can configure SSTP VPN server to require EAP-TLS client authentication with certificates.
> Then we can revoke client certificates to disallow clients from connecting to our network.
this is not the way your task should be solved. Certificate revocation is not an immediate solution, because CRLs have reasonable latency (due to caching on clients) and server will accept user logons for already revoked client certificates. If you need to prevent user access, you should disable user account.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
Tuesday, November 22, 2016 7:17 AM
Hi,
I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 23, 2016 9:37 AM
Hi Vadims, thank you for the answer u provided. Because of your answer I came across some websites which explained how to configure EAP-TLS. It seems this should be done under "Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE 802.11) Policies" in Group Policy. For some reason I don't see EAP-TLS, only Microsoft: Protected EAP (PEAP) and Microsoft: Smart Card or other certificate. We are using Windows 2008 so maybe this has some limitation to it. I will do some testing here and I will let you know how it goes.
ps: I understand that Disabling User Accounts to disallow Users to the network is a better security solution. We are just looking for an aditional layer of security.
Thursday, November 24, 2016 6:01 PM
"Microsoft: Smart Card or other certificate" this is a EAP-TLS equivalent.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
Tuesday, December 6, 2016 1:38 PM
Hi Vadims, thank you for the answer about "Microsoft: Smart Card or other certificate". I have looked at it for some time now and it seems we can use client certificates and server certificates to authenticate with EAP-TLS like you said or use MSCHAPv2 on the client and server certificate on the server to authenticate with PEAP. As far as I can see we cannot use both and that's exactly what we are looking for. Do you know some way to use client certificates and MSCHAPv2 to authenticate to the server? That would be something like MSCHAPv2 after the EAP-TLS authentication.
Wednesday, December 7, 2016 5:59 PM
why do you want to use multiple authentication protocols?
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
Thursday, December 15, 2016 8:23 AM
EAP-TLS will make sure only the computers we authorize can authenticate by using user certificates of users which are present in active directory. When we only use EAP-TLS and a person/attacker manages to get a hold on this user certificates from some domain users in some way along with the root certificate of the CA I have a feeling they can authenticate without having the usernames passwords. That's why we also want the username and password to be filled in after the EAP-TLS tunnel has been set up to have an additional layer of security.
Tuesday, December 20, 2016 3:14 AM
Hi,
>>That's why we also want the username and password to be filled in after the EAP-TLS tunnel has been set up to have an additional layer of security.
You might need NPS,and cetifitcate for connection policy,password for network policy.
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, December 22, 2016 2:43 PM
Hi Cartman, can you explain this a little bit. I'm seeing "Connection Request policies" and "Network Policies" in our Network Policy Server. The Connection Request Policies is where you define if connection requests are being processed locally or forwarded to a remote RADIUS server. The Network policies is where you define who is authorized to connect to connect to the network, the subject we are talking about.
Now there is a Settings tab beneath the Connection Request Policy with an option "Override network policy authentication settings" but I assume that the network policy will not be progressed any further if I select this one. So, how can I configure it the way you where saying?