Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
3
Replies

VPN3000; Certificates OU field and Groups

rremenyi
Level 1
Level 1

‎02-18-2002 11:17 PM - edited ‎03-08-2019 09:51 PM

Hello,

we do want to establish a Remote Access VPN Cisco VPN Client 3.51 to VPN3005 v.3.51 using certificates.

We only got it working when the OU field of the certificate of the Concentrator was matching the OU field of the Client Certificate.

If I understand the documentation correctly, the OU field of the client is directly linked with the "group" definitions on the concentrator. What I do not understand is: Why does the OU field of the Concentrator's certificate need to match as well?

http://www.cisco.com/warp/customer/471/installboth.html step 4)

This would limit me to only one group on the concentrator that can use certificates.

If the concentrator's certificate does have a different name in the OU field, the client does not accept the cerificate (at least that's what my test shows).

Am I understanding this correctly?

Is there a way that the OU field in the concentrator's certificate can be empty or different from the OU field of the group name and of the client?

Thanks in advance,

- Robert

Labels:
0 Helpful
3 Replies 3

jfrahim
Level 5
Level 5

‎02-19-2002 05:00 PM

Robert,

If you want to configure multiple groups on the concentrator, then you can install multiple identity certificates using the different OU in the enrollment form

0 Helpful

rremenyi
Level 1
Level 1
In response to jfrahim

‎02-19-2002 11:25 PM

Hello JAZIB,

thanks for your quick reply.

I can install max. 2 Identity Certificates on the Concentrator and I was thinking the second one is to provide a smooth migration to a new CA or to install a renewed certificate without interruption. However - that would give me max. 2 Groups.

But my first question would be:

- Do I understand it correctly that the OU in the Concentrator's Identity Certificate must match with the OU in the Client's Certificate? and if "Yes": Why? (Would make no sense to me)

regds,

- Robert

0 Helpful

rremenyi
Level 1
Level 1
In response to rremenyi

‎02-20-2002 07:31 AM

After some more testing I got it working.

I was wrong.

The OU field of the Concentrator's certificate does not need to match with the OU name of the client's certificate or with a Group name.

Sorry for your time.

rgds,

- Robert

0 Helpful
Customers Also Viewed These Support Documents