beautypg.com

Trusted ca certificate settings, Group assignment by user identification, Allow all policy – Panasonic NN46110-600 User Manual

Page 92

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

background image

82 Chapter 3 Using certificates

Trusted CA certificate settings

To authenticate incoming tunnel requests, you must associate every CA certificate
with a group. The group assignment of incoming tunnel requests is accomplished

by either finding the user provisioned in the VPN Router’s directory (internal or

external), or by allowing all users issued by a particular CA to gain access. If all
users issued by a particular CA are allowed, there are two ways to determine the
group that an initiator gets assigned to:

direct assignment into the group assigned to that CA

access control by subject DN

Group assignment by user identification

If the subject DN of the certificate presented by the remote initiator of the tunnel

is a user located on that VPN Router, then the group that the user is bound to is the

one indicated in that user’s configuration.

Allow All policy

Using Allow All, the VPN Router trusts the CA to establish the true identity of a

user. If the user’s certificate is within the certificate validity period, the

certificate’s signature is verified using the CA certificate, and the user’s certificate

is not on the CA’s CRL, the tunnel connection is permitted. Using the Allow All
policy means that once users are certified by the CA, they can create a tunnel

connection as long as their certificate is in good standing.

You can allow all users with certificates issued by this CA to authenticate with the
VPN Router, regardless of whether they have a user entry in the VPN Router's

LDAP database. By default, the CA certificate does not allow all users

authentication. Only users with their subject distinguished names (DNs) entered

into the Profiles > Users window can authenticate using certificates issued by this

CA. If you enable Allow All users to authenticate, you must also select a group for

these users from the Default Group list. If you want only specific instances of

users to authenticate with the CA authority, you must configure each of these

users from the Profiles > Users > Edit window, and disable Allow All

authentication for this CA. Only these users can then perform IPsec RSA Digital
Signature Authentication using a certificate issued by this particular CA.

NN46110-600

See also other documents in the category Panasonic Routers: