Reset Search
 

 

Article

KB21309 - IKEv2 using Machine Certificate for authentication

« Go Back

Information

 
Last Modified Date8/2/2015 7:00 PM
Synopsis
This article provides information on how to setup IKEv2 by using a Machine Certificate for authentication.
Problem or Goal
User fails to authenticate by using a Machine Certificate via PCS IKEv2 and Windows 7.

Typical errors are:
 
  • Policy Mismatch. 
  • IKE authentication credentials are unacceptable.
Cause
Solution
For the initial setup, refer to the Using IKEv2 on Pulse Secure Access Appliance document.

In addition to the How-to document,  adhere to the following requirements for a Machine Certificate to work properly.

On the PCS device:
 
  1. Enable VPN tunneling on the role and configure IKEv2 using the referenced document above.
  2.  The PCS Device Certificate has EKU (Enhanced  Key Usage) support for Web Server Authentication and Web Client Authentication (refer to Image 1). 
  3. The Client Machine Certificate ROOT CA is installed in PCS Configuration > Certificates > Trusted Client CAs.
On the Client PC:
 
  1. Make sure that the Machine Certificate has EKU (Enhanced Key Usage) support for Web Server Authentication (refer to Image 1).
  2. Install the Machine Certificate in the Personal >  Certificates folder in the Local Computer (Computer Account). Use MMC.exe to import it to the proper folder (refer to  Image 2).
  3. Install the PCS Device Certificate Root CA in the Trusted Root Certification Authorities > Certificates folder in the Local Computer (Computer Account). Use MMC.exe to import it to the proper folder (refer to image 2).

Image 1 - Certificate with EKU (Enhanced Key Usage):



Image 2 - MMC console for Local Computer (Computer Account) certificate store:

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255