[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Non-IP type Client IDs
[snip]
>Without using something like USER_FQDN or KEYID, how can you have
>different phase 2 policies for different remote users. I also believe
>that there are many cases when you will not be able to assign a fixed
>private IP address to the client. Config Mode does help, but I don't
>know why we should preclude other options.
The certificate used in phase 1 differentiates between remote users.
If you're relying on a USER_FQDN in phase 2 to determine policy such
that user1@xxx.com is allowed access to all machines behind the gateway
and user2@yyy.com is only allowed access to a subset of machines,
user2@yyy.com will just stick user1@xxx.com in its phase 2 ID. I'd
prefer to restrict phase 2 IDs to IP addresses. The certificate is
the identity of the remote peer, duplicating this identity in various
parts of the exchange(s) is redundant and unnecessary.
-dave
Follow-Ups: