Using Third-Party CAs for EAP-TLS Authentication


You can use third-party CAs to issue certificates for EAP-TLS authentication as long as the certificates installed can be validated and have the appropriate properties.

Certificates on the Authenticating Servers

For the computer certificates installed on the authenticating servers (either the VPN servers or the Internet Authentication Service [IAS] servers), the following must be true:

  • They must be installed in the Local Computer certificate store.

  • They must have a corresponding private key.

  • The cryptographic service provider for the certificates supports Secure Channel (Schannel). If not, the certificate cannot be used and it is not selectable from the properties of the Smart Card Or Other Certificate EAP type on the Authentication tab in the Properties dialog box of a profile for a remote access policy.

  • They must contain the Server Authentication Enhanced Key Usage (EKU). An EKU is identified using an object identifier (OID). The OID for Server Authentication is 1.3.6.1.5.5.7.3.1.

  • They must contain the fully qualified domain name (FQDN) of the computer account of the authenticating server in the Subject Alternative Name field of the certificate.

Additionally, the root CA certificates of the CAs that issued the VPN client user certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities certificate store of the authenticating servers.

Certificates on VPN Client Computers

For the user certificates installed on VPN client computers, the following must be true:

  • They must have a corresponding private key.

  • They must contain the Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2).

  • They must be installed in the Current User certificate store.

  • They must contain the user principal name (UPN) of the user account in the Subject Alternative Name field of the certificate.

Additionally, the root CA certificates of the CAs that issued the IAS server computer certificates must be installed in the Certificates (Local Computer)/Trusted Root Certification Authorities store of the VPN client computers.




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net