Filter
Top Products
62
Directory operation to reinitialize the directory in binary mode. See Chapter 2
of the Entrust/PKI 4.0 Administration Guide.
■ The following are guidelines for installing the Entrust/PKI 4.0 VPN Connector
product: n The Entrust installation guide provides instructions for installing the
Entrust/PKI 4.0 VPN Connector product. The installation guide specifies the
exact system requirements. It is strongly recommended that the installation
guide be reviewed carefully before attempting the installation. n The
installation provides various worksheets, and the information requested in
these must be determined prior to the installation.
■ The CEP features of VPN Connector are not required in a 3Com bridge/router
PKI environment. Skip those steps relating to the CEP installation and
configuration.
PPTP Tunnel Security
Validation
Authentication problems may occur when connecting a Windows 95 or NT client
via a Total Control™ hub to a NETBuilder II bridge/router where the Total Control
hub is setting up a PPTP tunnel to the bridge/router.
This problem is a combination of the security protocol between the client and the
LS (in this case the Total Control Hub) and the time it takes to validate a Radius
request on the Radius server. In addition, the setting of the DefaultAptCtl
parameter needs to be considered because this determines which security protocol
the NETBuilder bridge/router will use.
If the client and the LS negotiate to use PAP, the client will send PAP configure
requests but at that time the LS is busy setting up the PPTP tunnel and will forward
the PAP requests to the NETBuilder bridge/router. The bridge/router by default
sends CHAP challenge to the client and normally the client responds immediately.
Then the NETBuilder bridge/router sends a request to the Radius server for
validation.
If there is another PAP request from the client to the bridge/router while the
bridge/router is waiting for validation from the Radius server, the bridge/router will
send a PAP NAK to the client and the session is terminated. If the CHAP success
message is received before the next PAP message, the PAP message is discarded
and the connection is established.
Solutions include disabling CHAP on the NETBuilder DAC or disabling PAP
between the client and the LS.
This situation does not arise when the NETBuilder bridge/router is using internal
security because it is fast enough to check the CHAP response before the next PAP
message is generated.
RSA Signature for Phase
1 Authentication
When using RSA Signature for phase 1 authentication, and an IP address is used
for Distinguished Name Common Name or Subject Alternate Name, the only port
on the device that will perform IPSec is the one that corresponds to that IP
address. Using a domain name for the Distinguished Name Common Name or
Subject Alternate Name does not impose this limitation.
Windows NT MS-CHAP
Authentication
Although the 11.4 RAS service supports 64 character user names and passwords,
any Windows NT user with a password greater than 14 characters long will fail
MS-CHAP authentication. Per the IETF MS-CHAP v2 draft current versions of
Windows NT limit passwords to 14 characters.