Restricting which Certificate is allowed to authenticate a VPN connection

So I had a requirement on a VPN server I was setting up not long ago.  This requirement was that only a "smartcard logon" cert would be permitted for EAP access into my VPN server.  The normal setup information

(https://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch1_70.asp) tells you how to setup RRAS to allow authentication via CERT but it does not tell you how to limit which certs are allowed to be used to make that connection.

What is the issue?

Well for example lets say you work for a company that uses 802.1x and a "Client authentication" cert for wireless access. A valid employee would have a client auth cert on their workstation.

Now for security reasons you don't want that user to be able to use that same cert (the client Auth cert for wireless) to connect to the VPN servers.  So how do you do it? By default when RRAS is setup to do smart card or certificate authentication it will allow any valid (issued by the correct CA) to connect.

What we want to do is limit it so only a Smart card Logon Cert will work.  The key here is the OID for the smart card logon Cert (which is 1.3.6.1.4.1.311.20.2.2)

So follow the directions on setting up your VPN server for "Smart card or Certificate Authentication"

(https://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ras_sc_logon.asp). 

For a little better control of who I let into my VPN servers I also created a Security Group Called "Smart Card VPN Users".  The users that I have issued a smart card to are members of this Group.

• So after the users are created, the group is created and the smart cards are issued do the following:
  Open your RAS manager and goto Remote Access Policies
• Create a new Policy called "Smart Card VPN Access" (I did not run the wizard but instead did a custom policy)
• Add a condition where windows-group = "Smart Card VPN Users"
• Add a condition where Authentication Type = "EAP"
• Nas-Port-Type should also be "Virtual (VPN)"

 

• Now Click "Edit Profile"
• Select the Authentication Tab
• Unselect MS-CHAP v2 and MS-CHAP (at this point we only want EAP authentication)

 

• Follow the steps in the https://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ras_sc_logon.asp doc to set up EAP in general
• Now Click the Advanced Tab

 

• Click Add to add a New attribute
• Select "Allowed-Certificate-OID"
• Enter the value of the OID that you want to permit into the value; In this case we want to only permit Smart Card Logon Certs which has an OID of 1.3.6.1.4.1.311.20.2.2.

 

Now test your connection. With the smart card cert it should allow you to connect. But if you use a Client Auth Cert it should fail.

Please let me know if this works for does not work out for you! :) And enjoy