Re: [Fed-Talk] Re: Fed-talk Digest, Vol 4, Issue 224
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 4, Issue 224
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 4, Issue 224
- From: "Timothy J. Miller" <email@hidden>
- Date: Fri, 21 Sep 2007 09:45:25 -0500
The *only* AF VPN solution compatible with OS X is documented in "SCL/
CAC Enabled RA VPN TAII v2.0" found here:
https://itrm.hq.af.mil/itrm/
This is an L2TP/IPsec based solution and requires client certificates
which are most likely not yet available in your local domain or
forest. Further, it only works with OS X if the VPN concentrator's
identity certificate contains the IP address of the concentrator
public interface *and* the concentrator does *not* send the entire
certificate chain during IKE authentication.
These two issues are *not* documented in the TAII because, frankly,
the number of AF Mac laptops is insignificant.
A *new* AF VPN solution (TAII v3.0) is coming, based on the ASA5500
and using Cisco's proprietary IPSec/TCP + XAUTH, and *will not work*
with the current Cisco Mac VPN client.
-- Tim
On Sep 20, 2007, at 2:23 PM, Mark Yannuzzi wrote:
Shawn:
AFMC is using the Cisco VPN Client with a preconfigured .pcf file
provided
that uses "Group Authentication", which I have successfully used
with a
username/password.
I have tried to setup Apple's VPN but cannot find any documentation
on how
to accomplish a connection to a CISCO VPN Concentrator utilizing
a .pcf and
nothing at all regarding Smart Cards. Where can I find information
on how
to setup Internet Connect in this regard?
Regards,
Mark
--
Mark Yannuzzi
Research Engineer
Sensors Directorate, Exploratory Electronics
Air Force Research Laboratory
Paul is correct, but I wanted to clarify that last statement made
about VPN on the Mac.
Cisco VPN software can't use a CAC for authentication from the Mac
Paul is absolutely correct that the Cisco Client does not support
Smart Cards at all on Mac OS X, However, the built-on Remote Access
Client ("Internet Connect") DOES support Smart Card authentication to
Cisco VPN Concentrators. We have customer who have been using this
for almost 2 years. Typical connectivity is done via L2TP over IPSec
using Smart Cards (EAP-TLS) as well as machine certificates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden