Access control by subject dn – Panasonic NN46110-600 User Manual

Page 93

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

Chapter 3 Using certificates 83

You must enable the Allow All feature for each CA certificate against which you
want to permit authentication without an explicit user entry. This allows anyone
with a valid certificate from the particular CA to establish a tunnel connection.
Also, you must associate a default group with that certificate. The client

authenticating with the Allow All feature then uses the attributes associated with

that group. You can also assign Allow All users to specific groups by matching the
relative DN of a connecting certificate user. You are not limited to a single default

group.

Note:

Branch Office connections do not support the CA Certificate

Allow All feature. Therefore, you must configure an explicit Branch

Office connection.

Access control by Subject DN

This form of mapping incoming requests to groups allows the subject DN of

incoming certificates to be parsed to a configured depth and associated with a

corresponding group. During the client authentication process, the VPN Router

tries to match the client’s certificate subject DN with all the associations of the

CA. The match can be a partial match or an exact match. In the case of a partial
match, the longest match from the root of DN is used. After a match is found, the
client is assigned to the corresponding group. If no match is found, the client is

assigned to the default group of the CA.

A DN has multiple components (RDN). The most common ones are common
name (CN), country name (C), locality name (L), state/province name (S),
organization (O), and organizational unit (OU). The order of the RDN does not
matter unless multiple OUs are present, but ordering the DN in the following

sequence avoids ambiguity: C, S, L, O, OU, and CN.

The following examples show group mappings:

ou=VPNRouter, o=Nortel, c=US/base/v;pnrouter

ou=Engineering, ou=VPNRouter, o=Nortel, c=US/base/v;pnrouter/

Engineering

ou=Marketing, ou=VPNRouter, o=Nortel, c=US/base/vpnrouter/

Marketing

ou=Engineering, o=Bay Networks, L=Boston, S=MA, c=us/base/bay

Nortel VPN Router Security — Servers, Authentication, and Certificates

Advertising
Popular Brands
Popular manuals