1. Manuals
  2. Brands
  3. Nortel Manuals
  4. Network Router
  5. NN46110-600
  6. User manual

Trusted Ca Certificate Settings; Group Assignment By User Identification; Allow All Policy - Nortel NN46110-600 User Manual

Vpn router security — servers, authentication, and certificates
Hide thumbs
Table of Contents

Advertisement

82 Chapter 3 Using certificates

Trusted CA certificate settings

To authenticate incoming tunnel requests, you must associate every CA certificate
with a group. The group assignment of incoming tunnel requests is accomplished
by either finding the user provisioned in the VPN Router's directory (internal or
external), or by allowing all users issued by a particular CA to gain access. If all
users issued by a particular CA are allowed, there are two ways to determine the
group that an initiator gets assigned to:

Group assignment by user identification

If the subject DN of the certificate presented by the remote initiator of the tunnel
is a user located on that VPN Router, then the group that the user is bound to is the
one indicated in that user's configuration.

Allow All policy

Using Allow All, the VPN Router trusts the CA to establish the true identity of a
user. If the user's certificate is within the certificate validity period, the
certificate's signature is verified using the CA certificate, and the user's certificate
is not on the CA's CRL, the tunnel connection is permitted. Using the Allow All
policy means that once users are certified by the CA, they can create a tunnel
connection as long as their certificate is in good standing.
You can allow all users with certificates issued by this CA to authenticate with the
VPN Router, regardless of whether they have a user entry in the VPN Router's
LDAP database. By default, the CA certificate does not allow all users
authentication. Only users with their subject distinguished names (DNs) entered
into the Profiles > Users window can authenticate using certificates issued by this
CA. If you enable Allow All users to authenticate, you must also select a group for
these users from the Default Group list. If you want only specific instances of
users to authenticate with the CA authority, you must configure each of these
users from the Profiles > Users > Edit window, and disable Allow All
authentication for this CA. Only these users can then perform IPsec RSA Digital
Signature Authentication using a certificate issued by this particular CA.
NN46110-600
direct assignment into the group assigned to that CA
access control by subject DN

Advertisement

Table of Contents
loading

Related Manuals for Nortel NN46110-600

Related Content for Nortel NN46110-600

Table of Contents