On Tue, Mar 29, 2016 at 12:47:04PM +0200, Lubomir Rintel wrote: > Hi, > > I'm part of the Red Hat's NetworkManager crowd. We're aware that you've > made some effort on making it easy to get a short-lived certificate for > use with VPN (and EAP-TLS) . > >  http://www.freeipa.org/page/User_certificate_use_cases#VPN_certificates > > We're interested in this. I'm wondering if you could share you plans, > what is the present functionality and at which point could we get > involved to get this supported in NetworkManager? > > Thanks, > Lubo > Hi Lubo, thanks for getting in touch.
Cc Alexander who knows a lot more about the desktop integration experience than me :) The bits for issuing short-lived user certs (custom profiles) are available in FreeIPA 4.2 / RHEL 7.2. A further desirable enhacement, the ability to issue these certs from a dedicated sub-CA, is what I am currently working on. The general outline of acquiring a short-lived cert for VPN authentication is similar to the GSS-API authentication story (e.g. see the blog post about OpenConnect).  https://securityblog.redhat.com/2015/06/17/single-sign-on-with-openconnect-vpn-server-over-freeipa/ In brief: 1. User acquires Kerberos TGT via MS-KKDCP (Kerberos over public HTTP proxy) 2. User uses Kerberos ticket to acquire short-lived certificate via `ipa cert-request' command, selecting the appropriate profile for VPN authentication. 3. Certificate is used for VPN authentication. So the start of the process is the same as the GSS-API use case, but after acquiring the TGT it is used to get a cert for VPN auth instead of a service ticket for same purpose. Since Kerberos is a necessary part of the exchange I do not think that certificate authentication in this scenario gives any advantage over GSS-API (but it is more work and more complex, for sure!) Am I correct in believing that NetworkManager already has support for GSS-API VPN authentication with TGT acquired over MS-KKDCP? The other (more important IMO) VPN certificate authentication scenario is smart card authentiction, where a (longer-lived) certificate on a smart card is used to authenticate to a VPN. Does NetworkManager support this already? Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code