Hello, I am testing the Win 7 Agile VPN client (aka native Windows VPN client) using L2TP over IPsec VPN, using certificates and RADIUS (AD). It's working well overall. One issue. On some clients, I see - inconsistently - if a client has multiple local computer certificates, sometimes the VPN client selects the wrong certificate to connect to the VPN. In the GUI, command line, or registry, I see no way to tell the client which certificate to use. Two questions: 1) how does the client select which certificate to use... 2) is there a way to force the client to use a certain certificate? This is a Win7x64 environment. Thanks.

I discovered part of the problem. The Agile VPN client seems to "skip" a certificate if the subject name includes a DN. So, by using a DN in the subject name and using DNS in the SAN field, I've gotten the needed functionality out of the system. The only issue left now is that - strangely - an auto-enrolled certificate from the same template as a manually enrolled certificate does not authenticate correctly? The manually enrolled certificate does not allow for any options to be set. Any ideas? Cheers.

Hi, May I know what edition of your Windows Server? Here is a guide on RADIUS authentication can be referred to. Please pay attention to the "configure an authentication method". Basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/Ivan-Liu TechNet Community Support

Hello Ivan, Thanks for the response; the scenario is: W7 clients using the Agile VPN client to do L2TP over IPsec to a firewall product. The firewall product is not Windows. The firewall does RADIUS against WS2k8R2 Standard. When the client dials up, I clearly see in the firewall logs that the IPsec portion does not initiate due to the wrong certificate. So, it is not a RADIUS issue, as the client does not proceed on to the L2TP portion. Again, this issue only pops up for *some* clients that have multiple certificates. Other clients with multiple certificates work fine. If a client has only the necessary certificate for VPN, 100% of clients do not have any problem. If a client has several certificates, maybe, 25% have a problem. In the latter pool, when I compare a client with several certs that works vs a client with several certs that doesn't work, I don't see any appreciable difference; they have the same set of certificates... and the certificate policies are auto-enrolled. Je ne comprends pas.