ObiWiki

User Tools

Site Tools

Trace:
playground:microsoft:windows:rras_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
playground:microsoft:windows:rras_server [2020/08/14 16:12] – created admintomiplayground:microsoft:windows:rras_server [2020/08/19 14:24] (current) admintomi
Line 1: Line 1:
 ====== Routing and Remote Access server as VPN server ====== ====== Routing and Remote Access server as VPN server ======
  
-=====   IKEv2   =====+===== IKEv2 =====
  
-==== Hardnening settings ====+==== Restrict accepted Client Certificates ==== 
 + 
 +This applies only if you are going to use IKEv2 and certificate authentication. When UserAuthProtocolAccepted contains Certificate. If you are using only EAP, you don't need or cannot even apply these settings.
  
 By default RRAS is bit too permissive with certificate authentication. It accepts any certificate from client which is signed by any Root CA in Computers Trusted Root Certification Authorities, and there are all Root CA:s Microsoft delivers with Windows. So either you would need to delete those certificates and break all outbound https traffic or set RRAS accept only the one you use. This needs to be done from Powershell, first check your settings: By default RRAS is bit too permissive with certificate authentication. It accepts any certificate from client which is signed by any Root CA in Computers Trusted Root Certification Authorities, and there are all Root CA:s Microsoft delivers with Windows. So either you would need to delete those certificates and break all outbound https traffic or set RRAS accept only the one you use. This needs to be done from Powershell, first check your settings:
Line 87: Line 89:
  
 </code> </code>
 +
  
playground/microsoft/windows/rras_server.1597410751.txt.gz · Last modified: 2020/08/14 16:12 by admintomi