Hi I'm wondering, having PKI, if it is possible use both Machine Certificate and User's SmartCard (SmartCard Logon Certificate) to authenticate a client? I do have both workstation logon and VPN access scenarios. I am looking for a solution which makes it possible to authenticate both machine and user which is logged on it. Any clues or references would be appreciated. Cheers

to authenticate computer by using certificates — VPN is fine solution.http://en-us.sysadmins.lv

Hi, Thanks for the post. AFAIK, EAP does not provide mechanisms that perform dual authentication — that is, the authentication of both the computer being used to access the network and the user who is attempting to connect. For more information, please refer to the following article: Core Network Companion Guide: Deploying Computer and User Certificates Hope this helps. Miles

Miles, EAP-TLS requires client certificate for user authentication. For computer mutual authentication, you need to use L2TP VPN tunnel.http://en-us.sysadmins.lv

Hi, Thanks for the post. AFAIK, EAP does not provide mechanisms that perform dual authentication — that is, the authentication of both the computer being used to access the network and the user who is attempting to connect. For more information, please refer to the following article: Core Network Companion Guide: Deploying Computer and User Certificates Hope this helps. Miles Thanks Miles for the helpful answer Now I'm wondering how can I restrict VPN connection to be initiated from certain Computers? is it possible using Certificates at all? and having a AD Domain, Is it possible to force workstations to have valid digital certificates for using Domain network resources? (I was thinking of having it using .1x PNAC, but any other solutions) TIA

Miles, EAP-TLS requires client certificate for user authentication. For computer mutual authentication, you need to use L2TP VPN tunnel. http://en-us.sysadmins.lv Thanks Vadims for the reply By L2TP VPN requirement, do you mean it is not possible to have PKI Based Mutual Authentication, using other VPN types like PPTP? Another Question is, by Client Certificate, do you mean a specific type of Certificate Template? as you probably see, there are number of VPN templates(by default) in MS CA, which have the Client Authentication purpose. http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll/fig138.jpg TIA

no. PPTP don't support computer authentication by using certificates.http://en-us.sysadmins.lv