Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Group mapping for Router with dynamic IP to VPN3000 using certificates

We have several routers (CISCO and others) that have dynamically assigned internet addresses. The authentication is made by certificates (Netscape CMS). How can we map those routers to groups ? How can we use the certificates "OU", "Subject AlternativeName (FQDN or EMAIL or something else)" or "UNSTRUCTURED..." entries ?

Thank you very much, Bernd

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Group mapping for Router with dynamic IP to VPN3000 using ce

I presume you mean a VPN3000 group, is that correct? The 3000 uses the OU in the certificate to map users to a specific group name. However, I presume you're talking about L2L tunnels here, in which case you can't build those on a VPN3000 if you don't know the IP address of the peer. You can't have the routers come in as a client connection either, because the client does some propietary stuff and the routers won't be able to bring up the connection.

New Member

Re: Group mapping for Router with dynamic IP to VPN3000 using ce

Yes I mean a VPN3000 group. When I use Bintec (a German manufactuer known for ISDN equipment) routers then I am able to use the OU to establish a Remote access connection. I guess it should be possible to do that with CISCO routers, too, if only it would be possible to generate a certificate with SCEP that contains an OU. The latter would be interesting for routers with static addresses, too.

Thank you very much,

Bernd

72
Views
0
Helpful
2
Replies