I have the same question, as this is a CAT3 STIG finding. Not to mention, provides 2FA for other DoD requirements (i.e. Network Policy STIG).
Remote Access VPN STIG :: Release: 7 Benchmark Date: 27 Jul 2012
Vuln ID: V-21541
Severity: CAT III
The remote access solution will be configured to authenticate (DOD PKI preferred) all endpoints requesting access to the network; to include mutual authentication between the remote access server device and the endpoint will be enforced prior to network admission.
The problem with this kind of features (smart card reader) is how the client OS manage the certificates, for instance, Windows machines store the certificate in the personal certificate store and our VPN client SW goes there to look for the certificate. Linux use different stores (depends on the distribution) hence VMware doesn't support these clients with SC readers.
I did an implementation with smartcard reader and it is supported only on windows clients.
Implementation on Windows would be fine for us. Can you share your implementation details?
OK, so how did you do your implementation? I'm guessing your smartcard had a certificate signed directly by a Root CA with no Intermediate CA.