VPN through BSD for Win2k, totally baffled

[Chris BeHanna]

On Thursday 08 May 2003 16:39, Michael Collette wrote:
> On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote:
> > It's hard to tell from your message where you are getting lost, but I'll
> > give it a shot.  Assuming you have all your certificates (let's call
> > them client.crt/client.key, server.crt/server.key, and ca-local.crt):
>
> Took me a while to figure out how to even ask the question!  After heading
> down a bunch of dead ends and all.
>
> A couple of follow up questions to this.  If I go the route of handing out
> certificates to end users, is there a mechanism for revoking their rights
> to enter?  Employees do get other jobs, and almost all of them are using
> laptops which they travel with.  We've had folks get laptops stolen.
>
> Is the cert an all or nothing kinda deal.  For instance, I need a different
> level of access than a salesperson.  We have a programmer who needs access
> to different resources than myself or sales.  All of these outside folks
> are on dynamic IPs.

    Unless I miss my mark, all IPsec gets you is a secure tunnel to
the office network.  It does not circumvent the usual user- and group-
based permissions, nor will it circumvent NTFS ACLs.

    IOW, even after the IPsec link is established, the user *still*
has to log in, in which case you should be able to provide the kinds
of access controls you want via ACLs, netgroups, permissions masks,
etc.

    Right?

--
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna at bogus.zbzoom.net
                 Turning coffee into software since 1990.