[strongSwan] routing based on rightid
Martin Willi
martin at strongswan.org
Thu Oct 24 10:01:15 CEST 2013
Hi Hans,
> I added multiple certificates OU=<groupname> to the cert store, hoping
> that Windows would ask me which one to use, with no luck.
I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE
authentication.
What you might try is to switch from Machine Certificates to EAP-TLS
authentication (in IKEv2). Microsoft uses EAP-TLS to authenticate users
(not the Machine) with certificates or Smartcards. When selecting "Smart
Card or certificate" as EAP method, you can even (un-)set a "Use simple
certificate selection" flag that sounds promising.
Please be aware that certificates and keys have to go in the user
certificate store for EAP-TLS, and that you have to ./configure
strongSwan with --enable-eap-tls and set rightauth=eap-tls, see [1] for
details.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/EapTls
More information about the Users
mailing list