62

Directory operation to reinitialize the directory in binary mode. See Chapter 2 of the Entrust/PKI 4.0 Administration Guide.

The following are guidelines for installing the Entrust/PKI 4.0 VPN Connector product: n The Entrust installation guide provides instructions for installing the Entrust/PKI 4.0 VPN Connector product. The installation guide specifies the exact system requirements. It is strongly recommended that the installation guide be reviewed carefully before attempting the installation. n The installation provides various worksheets, and the information requested in these must be determined prior to the installation.

The CEP features of VPN Connector are not required in a 3Com bridge/router PKI environment. Skip those steps relating to the CEP installation and configuration.

PPTP Tunnel Security Authentication problems may occur when connecting a Windows 95 or NT client Validation via a Total Control™ hub to a NETBuilder II bridge/router where the Total Control

hub is setting up a PPTP tunnel to the bridge/router.

This problem is a combination of the security protocol between the client and the LS (in this case the Total Control Hub) and the time it takes to validate a Radius request on the Radius server. In addition, the setting of the DefaultAptCtl parameter needs to be considered because this determines which security protocol the NETBuilder bridge/router will use.

If the client and the LS negotiate to use PAP, the client will send PAP configure requests but at that time the LS is busy setting up the PPTP tunnel and will forward the PAP requests to the NETBuilder bridge/router. The bridge/router by default sends CHAP challenge to the client and normally the client responds immediately. Then the NETBuilder bridge/router sends a request to the Radius server for validation.

If there is another PAP request from the client to the bridge/router while the bridge/router is waiting for validation from the Radius server, the bridge/router will send a PAP NAK to the client and the session is terminated. If the CHAP success message is received before the next PAP message, the PAP message is discarded and the connection is established.

Solutions include disabling CHAP on the NETBuilder DAC or disabling PAP between the client and the LS.

This situation does not arise when the NETBuilder bridge/router is using internal security because it is fast enough to check the CHAP response before the next PAP message is generated.

RSA Signature for Phase When using RSA Signature for phase 1 authentication, and an IP address is used 1 Authentication for Distinguished Name Common Name or Subject Alternate Name, the only port

on the device that will perform IPSec is the one that corresponds to that IP address. Using a domain name for the Distinguished Name Common Name or Subject Alternate Name does not impose this limitation.

Windows NT MS-CHAPAlthough the 11.4 RAS service supports 64 character user names and passwords, Authentication any Windows NT user with a password greater than 14 characters long will fail

MS-CHAP authentication. Per the IETF MS-CHAP v2 draft current versions of Windows NT limit passwords to 14 characters.

Page 62
Image 62
3Com 86-0621-000, C36460T software manual