Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access control in Altiga based on users full DN.

We are testing remote access based on Cisco VPN Concentrator 3005 and VPN 3000 client v. 2.5.2.

We have set up a CA for issuing the certificates and a directory for CRL.

In order to distinguish between the different groups of users we use the mechanism, which maps user certificate "ou"-field to groups on the 3005.

The setup is this we have a user with certificate DN:

cn=John Doe, ou=Networking, o=Tele Danmark, c=DK

which gets the right on the 3005 according to the "Networking" group.

BUT a user with DN:

cn=Evil Alice, ou=Networking, o=Telia, c=DK

gets the same right when trying to access the 3005.

A prerequisite for Alice to gain unauthorized access seems to be that she can get a certificate from the same CA and with the right "ou"-field.

This is not a desired functionality - it would be nice if the groups on the 3005 were defined on the basis on the following instead of "ou"-field only:

1) Issuing CA

2) Full RDN (Relative DN), e.g. in the example above that the group was identified by

ou=Networking, o=Tele Danmark, c=DK

1 REPLY
Bronze

Re: Access control in Altiga based on users full DN.

It’s my understanding you can file enhancement requests to check other certificate fields through your Cisco rep. At this point I think it only checks OU for a match and the cert validity whether it’s expired or not. By requesting for a product enhancement you’ll be given a bug id that you can track. When you get the bug id, be sure to post it on the board so we can all track it.

186
Views
0
Helpful
1
Replies
CreatePlease login to create content