VMware Networking Community
KWKirchner
Enthusiast
Enthusiast
‎03-28-2018 10:34 AM
Jump to solution

NSX SSL-VPN Plus Support for PKI/CAC/Smartcards

Is there currently support in the SSL-VPN client for the use of DoD CAC or other smartcards for the user authentication piece?  If not, is it on the roadmap?

Reply
1 Solution

Accepted Solutions
nreyesv79
VMware Employee
VMware Employee
‎09-20-2018 02:29 PM
Jump to solution

Hello There,

The problem with this kind of features (smart card reader) is how the client OS manage the certificates, for instance, Windows machines store the certificate in the personal certificate store and our VPN client SW goes there to look for the certificate. Linux use different stores (depends on the distribution) hence VMware doesn't support these clients with SC readers.

I did an implementation with smartcard reader and it is supported only on windows clients.

HTH

Cheers

View solution in original post

Reply
0 Kudos
5 Replies
djberlin
Contributor
Contributor
‎09-04-2018 01:14 PM
Jump to solution

I have the same question, as this is a CAT3 STIG finding. Not to mention, provides 2FA for other DoD requirements (i.e. Network Policy STIG).

Remote Access VPN STIG :: Release: 7 Benchmark Date: 27 Jul 2012

Vuln ID: V-21541

Severity: CAT III

The remote access solution will be configured to authenticate (DOD PKI preferred) all endpoints requesting access to the network; to include mutual authentication between the remote access server device and the endpoint will be enforced prior to network admission.

Reply
0 Kudos
nreyesv79
VMware Employee
VMware Employee
‎09-20-2018 02:29 PM
Jump to solution

Hello There,

The problem with this kind of features (smart card reader) is how the client OS manage the certificates, for instance, Windows machines store the certificate in the personal certificate store and our VPN client SW goes there to look for the certificate. Linux use different stores (depends on the distribution) hence VMware doesn't support these clients with SC readers.

I did an implementation with smartcard reader and it is supported only on windows clients.

HTH

Cheers

Reply
0 Kudos
KWKirchner
Enthusiast
Enthusiast
‎07-30-2019 09:25 PM
Jump to solution

Implementation on Windows would be fine for us.  Can you share your implementation details?

Reply
djberlin
Contributor
Contributor
‎05-07-2020 07:42 AM
Jump to solution

OK, so how did you do your implementation? I'm guessing your smartcard had a certificate signed directly by a Root CA with no Intermediate CA.

Reply
0 Kudos
KWKirchner
Enthusiast
Enthusiast
‎08-22-2020 04:15 PM
Jump to solution

We said screw it and bought Cisco ASAv licenses. These virtual appliances will do the thing we need done.

Reply
0 Kudos