Is there currently support in the SSL-VPN client for the use of DoD CAC or other smartcards for the user authentication piece? If not, is it on the roadmap?
Hello There,
The problem with this kind of features (smart card reader) is how the client OS manage the certificates, for instance, Windows machines store the certificate in the personal certificate store and our VPN client SW goes there to look for the certificate. Linux use different stores (depends on the distribution) hence VMware doesn't support these clients with SC readers.
I did an implementation with smartcard reader and it is supported only on windows clients.
HTH
Cheers
I have the same question, as this is a CAT3 STIG finding. Not to mention, provides 2FA for other DoD requirements (i.e. Network Policy STIG).
Remote Access VPN STIG :: Release: 7 Benchmark Date: 27 Jul 2012
Vuln ID: V-21541
Severity: CAT III
The remote access solution will be configured to authenticate (DOD PKI preferred) all endpoints requesting access to the network; to include mutual authentication between the remote access server device and the endpoint will be enforced prior to network admission.
Hello There,
The problem with this kind of features (smart card reader) is how the client OS manage the certificates, for instance, Windows machines store the certificate in the personal certificate store and our VPN client SW goes there to look for the certificate. Linux use different stores (depends on the distribution) hence VMware doesn't support these clients with SC readers.
I did an implementation with smartcard reader and it is supported only on windows clients.
HTH
Cheers
Implementation on Windows would be fine for us. Can you share your implementation details?
OK, so how did you do your implementation? I'm guessing your smartcard had a certificate signed directly by a Root CA with no Intermediate CA.
We said screw it and bought Cisco ASAv licenses. These virtual appliances will do the thing we need done.