On Tue, Mar 29, 2016 at 12:47:04PM +0200, Lubomir Rintel wrote:
> I'm part of the Red Hat's NetworkManager crowd. We're aware that you've
> made some effort on making it easy to get a short-lived certificate for
> use with VPN (and EAP-TLS) .
>  http://www.freeipa.org/page/User_certificate_use_cases#VPN_certificates
> We're interested in this. I'm wondering if you could share you plans,
> what is the present functionality and at which point could we get
> involved to get this supported in NetworkManager?
Hi Lubo, thanks for getting in touch.
Cc Alexander who knows a lot more about the desktop integration
experience than me :)
The bits for issuing short-lived user certs (custom profiles) are
available in FreeIPA 4.2 / RHEL 7.2. A further desirable
enhacement, the ability to issue these certs from a dedicated
sub-CA, is what I am currently working on.
The general outline of acquiring a short-lived cert for VPN
authentication is similar to the GSS-API authentication story (e.g.
see the blog post about OpenConnect).
1. User acquires Kerberos TGT via MS-KKDCP (Kerberos over public
2. User uses Kerberos ticket to acquire short-lived certificate via
`ipa cert-request' command, selecting the appropriate profile for
3. Certificate is used for VPN authentication.
So the start of the process is the same as the GSS-API use case, but
after acquiring the TGT it is used to get a cert for VPN auth
instead of a service ticket for same purpose. Since Kerberos is a
necessary part of the exchange I do not think that certificate
authentication in this scenario gives any advantage over GSS-API
(but it is more work and more complex, for sure!) Am I correct in
believing that NetworkManager already has support for GSS-API VPN
authentication with TGT acquired over MS-KKDCP?
The other (more important IMO) VPN certificate authentication
scenario is smart card authentiction, where a (longer-lived)
certificate on a smart card is used to authenticate to a VPN. Does
NetworkManager support this already?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code