Certificate Infrastructure | Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)

To perform certificate-based authentication for L2TP connections and smart card or user certificate–based authentication for VPN connections using EAP-TLS, a certificate infrastructure, also known as a public key infrastructure (PKI), must be in place to issue the proper certificates to submit during the authentication process and to validate the certificate being submitted.

Computer Certificates for L2TP/IPSec

When you are using the certificate authentication method for L2TP/IPSec connections, the list of CAs is not configurable. Instead, each computer in the L2TP/IPSec connection sends a list of root CAs to its IPSec peer, from which it accepts a certificate for authentication. The root CAs in this list correspond to the root CAs that issued computer certificates to the computer. For example, if Computer A was issued computer certificates by root CAs CertAuth1 and CertAuth2, it notifies its IPSec peer during main mode negotiation that it will accept certificates for authentication from only CertAuth1 and CertAuth2. If the IPSec peer, Computer B, does not have a valid computer certificate issued from either CertAuth1 or CertAuth2, IPSec security negotiation fails.

The VPN client must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the VPN server trusts. Additionally, the VPN server must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the VPN client trusts.

For example, if the VPN client was issued computer certificates by root CAs CertAuth1 and CertAuth2, it notifies the VPN server during IPSec security negotiation that it will accept certificates for authentication from only CertAuth1 and CertAuth2. If the VPN server does not have a valid computer certificate issued from a CA that follows a certificate chain to either CertAuth1 or CertAuth2, IPSec security negotiation fails.

A single CA commonly issues computer certificates to all computers in an organization. Because of this, all computers within the organization have computer certificates from a single CA, and they request certificates for authentication from the same single CA.

Deploying computer certificates in your organization consists of the following procedures:

Deploy a certificate infrastructure. For more information, see Appendix C.
Install a computer certificate on each computer. For more information, see Chapter 6.

Certificate Infrastructure for Smart Cards

The use of smart cards for user authentication is the strongest form of user authentication in Windows Server 2003. For remote-access VPN connections, you must use the Extensible Authentication Protocol (EAP) with the Smart Card Or Other Certificate (TLS) EAP type, also known as EAP-Transport Layer Security (EAP-TLS).

Deploying smart cards in your organization consists of the following steps:

Create a certificate infrastructure using certification authorities.
For each domain, set security permissions and delegation for the Smart Card User, Smart Card Logon, and Enrollment Agent certificate templates.
Configure the CA to issue smart card and Enrollment Agent certificates.
Configure an enrollment station, a computer that is used to physically install the smart card certificates on smart cards.
Use the enrollment station to create a smart card with a smart card user logon certificate that is installed on the smart card and is assigned to a specific user account.

For more information on how to configure smart cards for user logon, see the topic “Checklist: Deploying Smart Cards for Logging on to Windows” in Windows Server 2003 Help And Support.

The individual smart cards are distributed to users who have a computer with a smart-card reader. To log on to the computer, the smart card must be inserted into the smart-card reader and the smart-card PIN must be typed. When the user attempts a VPN connection, the smart card certificate is sent during the connection negotiation process.

To configure EAP-TLS for smart cards on the VPN client:

The VPN connection must be configured to use EAP with the Smart Card Or Other Certificate EAP type.
In the properties of the Smart Card Or Other Certificate EAP type, select Use My Smart Card.
For Windows 2000 or Windows XP (prior to Service Pack 1) VPN clients, if you want to validate the computer certificate of the VPN or IAS server, select Validate Server Certificate. If you want to ensure that the server’s DNS name ends in a specific string, select Connect Only If Server Name Ends With and type the string. To require the server’s computer certificate to have been issued a certificate from a specific trusted root CA, select the CA in Trusted Root Certificate Authority.
In the properties of the Smart Card Or Other Certificate EAP type, select Use A Certificate On This Computer.
For Windows XP (Service Pack 1 and later) VPN clients, if you want to validate the computer certificate of the VPN or IAS server, select Validate Server Certificate. If you want to configure the names of the authenticating servers, select Connect To These Servers and type the server names. To require the server’s computer certificate to have been issued a certificate from a specific set of trusted root CAs, select them in Trusted Root Certification Authorities.

To configure EAP-TLS authentication on the VPN server, EAP must be enabled as an authentication type on the Authentication Methods dialog box available from the Security tab in the properties of the VPN server in the Routing And Remote Access snap-in.

To configure EAP-TLS authentication on the remote access policy that is being used for VPN connections, the Smart Card Or Other Certificate EAP type must be added to the selected EAP providers from the Authentication tab on the policy’s profile settings. If the computer on which the remote access policy is being configured has multiple computer certificates installed, configure the properties of the Smart Card Or Other Certificate EAP type and select the appropriate computer certificate to submit during the EAP-TLS authentication process.

Certificate Infrastructure for User Certificates

The use of registry-based user certificates for user authentication can be used in place of smart cards. However, it is not as strong a form of authentication. With smart cards, the user certificate issued during the authentication process is made available only when the user physically possesses the smart card and has knowledge of the PIN to log on to her computer. With user certificates, the user certificate issued during the authentication process is made available when the user logs on to her computer using a domain-based user name and password. Just as with smart cards, authentication using user certificates for remote access VPN connections use EAP-TLS as the authentication protocol.

Deploying user certificates in your organization consists of the following steps:

Deploy a certificate infrastructure. For more information, see Appendix C.
Install a user certificate for each user. For more information, see Chapter 6.

When the user attempts a VPN connection, the user certificate is sent during the connection negotiation process.

To configure EAP-TLS for user certificates on the VPN client:

The VPN connection must be configured to use EAP with the Smart Card Or Other Certificate EAP type.
For Windows 2000 or Windows XP (prior to Service Pack 1) VPN clients, if you want to validate the computer certificate of the VPN or IAS server, select Validate Server Certificate. If you want to ensure that the server’s DNS name ends in a specific string, select Connect Only If Server Name Ends With and type the string. To require the server’s computer certificate to have been issued a certificate from a specific trusted root CA, select the CA in Trusted Root Certificate Authority.
For Windows XP (Service Pack 1 and later) VPN clients, if you want to validate the computer certificate of the VPN or IAS server, select Validate Server Certificate. If you want to configure the names of the authenticating servers, select Connect To These Servers and type the server names. To require the server’s computer certificate to have been issued a certificate from a specific set of trusted root CAs, select them in Trusted Root Certification Authorities.

To configure EAP-TLS authentication on the remote access policy, on the remote access policy that is being used for VPN connections, the Smart Card Or Other Certificate EAP type must be added to the selected EAP providers from the Authentication tab on the policy’s profile settings. If the computer on which the remote access policy is being configured has multiple computer certificates installed, configure the properties of the Smart Card Or Other Certificate EAP type and select the appropriate computer certificate to submit during the EAP-TLS authentication process.

Design Point: Certificate Infrastructure

Consider the following when configuring the certificate infrastructure for remote access VPN connections:

To create L2TP/IPSec remote access VPN connections using computer certificate authentication for IPSec, you must install computer certificates, also known as machine certificates, on each VPN client and VPN server. If you are using a Windows Server 2003 enterprise CA as an issuing CA, configure your Active Directory domain for auto-enrollment of computer certificates using Computer Configuration group policy. Each computer that is a member of the domain automatically requests a computer certificate when the Computer Configuration group policy is updated.

The computer certificate of the VPN client must be valid and verifiable by the VPN server—that is, the VPN server must have a root CA certificate for the CA that issued the computer certificate of the VPN client.

Likewise, the computer certificate of the VPN server must be valid and verifiable by the VPN client—that is, the VPN client must have a root CA certificate for the CA that issued the computer certificate of the VPN server.
To authenticate VPN connections using a smart card or user certificate with EAP-TLS, the VPN client must have a smart card or registry-based user certificate installed and the authenticating server must have a computer certificate installed. The authenticating server is either the VPN server (if configured for Windows authentication) or the IAS server (if the VPN server is configured for RADIUS authentication and the RADIUS server is a computer running Windows Server 2003 and IAS).

The smart card or user certificate of the VPN client must be valid and verifiable by the authenticating server—that is, the authenticating server trusts the root CA for the CA that issued the certificate of the VPN client.

The computer certificate of the authenticating server must be verifiable by the VPN client—that is, the VPN client trusts the root CA for the CA that issued the computer certificate of the authenticating server.
To install a computer certificate or a user certificate on a computer across the Internet, make a PPTP connection using a password-based authentication protocol such as MS-CHAP v2. After connecting, use the Certificate Manager snap-in or Internet Explorer to request the appropriate certificates. Once the certificates are installed, disconnect and then reconnect with the appropriate VPN protocol and authentication method. An example of this situation is a laptop computer that is issued to an employee without the certificates needed to make L2TP/IPSec or EAP-TLS-authenticated connections.