ObiWiki

User Tools

Site Tools

Trace:
playground:microsoft:windows:rras_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
playground:microsoft:windows:rras_server [2020/08/14 16:14] admintomiplayground:microsoft:windows:rras_server [2020/08/19 14:24] (current) admintomi
Line 4: Line 4:
  
 ==== Restrict accepted Client Certificates ==== ==== Restrict accepted Client Certificates ====
 +
 +This applies only if you are going to use IKEv2 and certificate authentication. When UserAuthProtocolAccepted contains Certificate. If you are using only EAP, you don't need or cannot even apply these settings.
  
 By default RRAS is bit too permissive with certificate authentication. It accepts any certificate from client which is signed by any Root CA in Computers Trusted Root Certification Authorities, and there are all Root CA:s Microsoft delivers with Windows. So either you would need to delete those certificates and break all outbound https traffic or set RRAS accept only the one you use. This needs to be done from Powershell, first check your settings: By default RRAS is bit too permissive with certificate authentication. It accepts any certificate from client which is signed by any Root CA in Computers Trusted Root Certification Authorities, and there are all Root CA:s Microsoft delivers with Windows. So either you would need to delete those certificates and break all outbound https traffic or set RRAS accept only the one you use. This needs to be done from Powershell, first check your settings:
playground/microsoft/windows/rras_server.1597410887.txt.gz · Last modified: 2020/08/14 16:14 by admintomi