|
We have a running implementation of the IPSec policy model and we have hit a use case that I can't seem to resolve with the model. Any assistance would be appreciated. Here is the use case in end user terms. It is a remote access application where user connects via his workstation to an IPSec gateway with using an IPSec client on the workstation. The gateway must be configured to allow access using this criteria. 1) The user can be dynamically assigned any IP address. 2) The user is assumed to have an X509 certificates confiigured in his IPSec client. 3) The gateway must be configured identify the end user during the IKE negotiation such that the X509 certificate must contain contain both a issuer and subject name that matches criteria in the SPD entry in the gateway. The catch is that the X509 issuer/subject name can match any entry in a match set list. Ex: Issuer/Subject Name can be any one of the following: 1) Issued To: CN=MyCompName,O=Eng Issued By : CN=MyCompCA, O=Network Security OR 1) Issued To: CN=YourCompName,O=Eng Issued By : CN=YourCompCA, O=Network Security OR You get the picture My review of rfc3585 and the CIM_Network25.mof lead me to the conclusion that this is not possible with the model. Making the entry sequence value=0, would mean that we should AND all the CredentailFilter instances. If the enty sequence values are non-zero is means that the CredentialFilters are ORed. Since the CredentialFilter has attributes of MatchFieldName and MatchFieldValue it would take two CredentialFilter instances to define a match for a issuer AND a subject name. What am I missing? Casey |