strange problem with digital certs with vpn 3005

sebastan_bach · ‎12-08-2006

i am having a strange problem with vpn 3005 using digital certificates. i am using digital certificates for the vpn 3005 and also with the vpn clint using digital certificates.

both the entities have received their certs from a ca which are valid.

now the OU field in the identity cert of the vpn 3005 is ENGG. and the OU field in the vpn client;s cert is sales.

i have created a remote-access group with the name as cisco which is not matching the OU of the vpn client.

still the user is able to connect via certs. in the matching group policy also i have set to match the OU from the cert.

in 4.1.5 code it worked properly as the way it should. i upgraded it to 4.7.2 but now it;s working even with the wrong groupname.

i tried the same scenario with a router and vpn client it worked properly as the way it should. when the group name was different than the OU field of the client cert it disconnected.

has anyone before has faced the samed problem.

regards

sebastan

thomas.chen · ‎12-14-2006

The OU field should be the same between the server and the client. If the OU field is SA connection will not be established between the server and the client.

sebastan_bach · ‎12-15-2006

hi thomas u are right. even i know that if the ou fields are different then the sa should not be established. but here it is working.

in 4.1.5 release it worked fine but in the new 4.7.2 . it;s working anyways. could be a bug in the ios.

regards

sebastan