No, I tend to remember that in the certificate properties
(System>Certificates>[SERVER CERTIFICATE]), you could establish a
mapping between the client certificates' DN and the groups in the
Contivity... it should be in the manual or in a tech tips from Nortel.
If you cannot find this, feel free to mail me off-line for more info.
Regards,
Rodrigo.
On 9/8/05, Cesar Farro Flores <cesar.farro@t-empresas.com.pe> wrote:
1- Are other similar certificates working, or all of them are failing to
authenticate?
Now, I am testing only with Verisign certificates for server and users. At
the beginning, I was testing with Microsoft certificate for the server and
Verisign certificate for users. The result was the same.
2.- Have you established obligatory CRL check in the Contivity server
certificate, and if so, is the CRL accessible from the Contivity?
No. CRL check is disabled.
3.- Has the certificate been revoked in the CA?
No. The certificate is valid.
4.- Is the server certificate in the Contivity enabled?
Yes, It is.
5.- Have you configured the <certificate DN - Contivity group> mapping?
I think you ask me about "Profiles/Groups/IPSec"...It's configured as
follows:
Database Authentication LDAP
- User and password: enabled
- RSA Digital Signature: enabled
* Default Server Certificate: CN=VPN1700, OU=Sis....
CF.
Rodrigo Blanco <rodrigo.blanco.r@gmail.com> escribió el 06/09/2005 01:46:35
a.m.:
Hello Cesar,
I would check these items, just as a beginning:
- Are other similar certificates working, or all of them are failing
to authenticate?
- Have you established obligatory CRL check in the Contivity server
certificate, and if so, is the CRL accessible from the Contivity?
- Has the certificate been revoked in the CA?
- Is the server certificate in the Contivity enabled?
- Have you configured the <certificate DN - Contivity group> mapping?
Regards,
Rodrigo.
On 9/5/05, Cesar Farro Flores <cesar.farro@t-empresas.com.pe> wrote:
Hi List,
We have contivity vpn switch 1700 sw V05_00.136 and certificates from
CA
Verisign, we have a problem in the process of authenticatication. We
can
see in the log that before this error message, the contivity delivers
an
IP Address to my user. Then the authentication failure. Does anybody
know
why this error messages
appears in the log : "rejected or aborted connection attempt". We will
appreaciate your help.
####################################################################
08/31/2005 11:43:40 0 ISAKMP [02] ISAKMP SA established with
mail=jesus@x.com.pe, cn=jesus , ou=organizacion -
x, ou=terms of use at www.ace.es/rpa (c)01, ou=csc - class 2,
o=xxx.s.a.a. (200.x.x.83)
08/31/2005 11:43:40 0 ISAKMP [13] Error notification (Authentication
failure) received from mail=jesus@x.com.pe, cn=jesus,
ou=organizacion - x, ou=terms of use at www.ace.es/rpa (c)01,
ou=csc - class 2, o=xxx.s.a.a. (200.x.x.83)
08/31/2005 11:43:40 0 ISAKMP [13] mail=jesus@x.com.pe,
cn=jesus, ou=organizacion - x, ou=terms of use at
www.ace.es/rpa (c)01, ou=csc - class 2, o=xxx.s.a.a.
(200.x.x.83) rejected or aborted connection attempt
##################################################################
ForwardSourceID:NT0000AD06
