EAP-TLS-Based Remote Access VPN Connections


EAP-TLS-based remote access VPN connections require a user certificate on the VPN client and a computer certificate on the IAS server. EAP-TLS is used when you want to authenticate your VPN connection with the most secure user-level authentication protocol. Locally installed user certificates in the following steps are used to make it easier to set up in a test lab. In a production environment, it is recommended that you use smart cards, rather than locally installed user certificates, for EAP-TLS authentication.

DC1

To configure DC1 for autoenrollment of user certificates, perform the following steps:

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, double-click Certificate Templates, click Close, and then click OK.

  4. In the console tree, click Certificate Templates. All the certificate templates are displayed in the details pane. This is shown in the following figure.

    click to expand

  5. In the details pane, click the User template.

  6. On the Action menu, click Duplicate Template.

  7. In the Display Name field, type VPN Access.

  8. Ensure that the Publish Certificate In Active Directory check box is selected. This is shown in the following figure.

  9. Click the Security tab.

  10. In the Group Or User Names field, click Domain Users.

  11. In the Permissions For Domain Users list, select the Enroll and Autoenroll permission check boxes. This is shown in the following figure.

  12. Click the Subject Name tab.

  13. Clear the Include E-Mail Name In Subject Name and E-mail Name check boxes. Because an e-mail name was not configured for the VPNUser1 user account, leaving these options selected will prevent a user certificate from being issued. This is shown in the following figure.

  14. Click OK.

  15. Open the Certification Authority snap-in.

  16. In the console tree, open Certification Authority, Example CA, and then Certificate Templates. This is shown in the following figure.

    click to expand

  17. On the Action menu, point to New, and then click Certificate Template To Issue.

  18. Click VPN Access. This is shown in the following figure.

    click to expand

  19. Click OK.

  20. Open the Active Directory Users And Computers snap-in.

  21. In the console tree, double-click Active Directory Users And Computers, right-click the example.com domain, and then click Properties.

  22. On the Group Policy tab, click Default Domain Policy and then click Edit.

  23. In the console tree, open User Configuration, Windows Settings, Security Settings, and then Public Key Policies. This is shown in the following figure.

    click to expand

  24. In the details pane, double-click Autoenrollment Settings.

  25. Click Enroll Certificates Automatically. Select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box. Select the Update Certificates That Use Certificate Templates check box. This is shown in the following figure.

    click to expand

  26. Click OK.

IAS1

To configure IAS1 with a computer certificate and for EAP-TLS authentication, perform the following steps:

  1. To ensure that IAS1 has auto-enrolled a computer certificate, type gpupdate at a command prompt.

  2. Open the Internet Authentication Service snap-in.

  3. In the console tree, click Remote Access Policies.

  4. In the details pane, double-click VPN Remote Access To Intranet. The VPN Remote Access To Intranet Properties dialog box is displayed.

  5. Click Edit Profile, and then click the Authentication tab.

  6. On the Authentication tab, click EAP Methods. The Select EAP Providers dialog box is displayed.

  7. Click Add. The Add EAP dialog box is displayed.

  8. Click Smart Card Or Other Certificate, and then click OK.

  9. Click Edit. The Smart Card Or Other Certificate Properties dialog box is displayed. This is shown in the following figure.

    click to expand

  10. The properties of the computer certificate issued to the IAS1 computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.

  11. Click OK to save to the selection of an EAP provider. Click OK to save changes to the profile settings.

  12. When prompted to view help topics, click No. Click OK to save changes to the remote access policy.

These configuration changes will allow the VPN remote access to intranet remote access policy to authorize VPN connections using the EAP-TLS authentication method.

CLIENT1

To obtain a user certificate on CLIENT1 and then configure an EAP-TLS-based remote access VPN connection, perform the following steps:

  1. Shut down CLIENT1.

  2. Disconnect the CLIENT1 computer from the simulated Internet network segment, and connect it to the intranet network segment.

  3. Restart the CLIENT1 computer, and log on using the VPNUser1 account. Computer and user group policy is automatically updated.

  4. Shut down the CLIENT1 computer.

  5. Disconnect the CLIENT1 computer from the intranet network segment, and connect it to the simulated Internet network segment.

  6. Restart the CLIENT1 computer, and log on using the VPNUser1 account.

  7. On CLIENT1, open the Network Connections folder from Control Panel.

  8. In Network Tasks, click Create A New Connection.

  9. On the Welcome To The New Connection Wizard page of the New Connection Wizard, click Next.

  10. On the Network Connection Type page, click Connect To The Network At My Workplace.

  11. Click Next. On the Network Connection page, click Virtual Private Network Connection.

  12. Click Next. On the Connection Name page, type EAPTLStoCorpnet in the Company Name text box.

  13. Click Next. On the VPN Server Selection page, type 10.0.0.2 in the Host Name Or IP Address text box.

  14. Click Next. On the Public Network page, select Do Not Dial The Initial Connection.

  15. Click Next. On the Connection Availability page, click Next.

  16. On the Completing The New Connection Wizard page, click Finish. The Connect EAPTLStoCorpnet dialog box is displayed.

  17. Click Properties, and then click the Security tab.

  18. On the Security tab, click Advanced, and then click Settings. The Advanced Security Settings dialog box is displayed.

  19. In the Advanced Security Settings dialog box, select Use Extensible Authentication Protocol (EAP). This is shown in the following figure.

    click to expand

  20. Click Properties. On the Smart Card Or Other Certificate Properties dialog box, select Use A Certificate On This Computer. This is shown in the following figure.

    click to expand

  21. Click OK to save changes to the Smart Card Or Other Certificate EAP type. Click OK to save changes to the Advanced Security Settings. Click OK to save changes to the Security tab. The connection is immediately initiated using the installed user certificate.

  22. When the connection is complete, run the Web browser.

  23. In the Address text box, type http://IIS1.example.com/iisstart.htm. You should see a Web page titled “Under Construction.”

  24. Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the Local Drive (C:) on IIS1.

  25. Right-click the EAPTLStoCorpnet connection, and then click Disconnect.




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net