The Cisco also needs to be exempted from the "authenticated domain members" rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?)
There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) <[EMAIL PROTECTED]> wrote: > > First some background. > > First issue: I'm wanting to establish certificate-driven, IPSec-based > authentication and access on my local LAN. Participants are mainly Windows > XP machines (including some laptops via wireless access points which started > this process) and a SUSE Linux webserver. The current Windows 2000 server > will have Group Policies implemented restricting access to authenticated > domain members. (Obviously, the webserver will be excluded from some of > these policies). Essentially. access to the domain and the domainserver > should be restricted to known machines. > > What also needs to occur is that these same known machines require internet > access via a Cisco 800 series router. (thus the same IPsec policies on the > domain need to be applied as authentication-only policies on the router). > Incoming traffic (as distinct from return traffic) needs to be allowed to > the webserver. > > Second issue is that I wish the Linux webserver to be able to distribute > subordinate certificates to web clients. > > Started to look at the planning for this and my brain started to hurt. > > Anyone tried this and can share some gotchas, do's and don'ts? > > > Regards, > > > Brett Davidson ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
