SSTP works without certificate

Support requests about VPN Client Pro
Post Reply
Porfavor
Posts: 6
Joined: Thu Dec 26, 2019 11:02 pm

SSTP works without certificate

Post by Porfavor » Thu Dec 26, 2019 11:06 pm

Hello,

can anyone explain how it is possible that an SSTP connection works without using a certificate (at windows clients that won't work and it shouldn't works also) using this app?

It there anything misconfigured at the server?

admin
Site Admin
Posts: 531
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: SSTP works without certificate

Post by admin » Fri Dec 27, 2019 8:57 am

Do you speak about the certification authority or the client certificate used by EAP-TLS authentication protocol?

On windows the certification authority is mandatory and is used to verify the validity of the server certificate.
On my app the user can import the certification authority, but is optional. If the certification authority is not configured, on the first connection, the app show to the user the details about the server certificate, if the user allow the connection, the app save the server certificate and check it for each successive connection. This is done to simplify the VPN configuration.

The client certificate is used only if the server is configured with EAP-TLS authentication protocol. Anyway the server can be configured with multiple authentication protocols, and in this case the client can negotiate one of the other available authentication methods.

Porfavor
Posts: 6
Joined: Thu Dec 26, 2019 11:02 pm

Re: SSTP works without certificate

Post by Porfavor » Fri Dec 27, 2019 4:53 pm

Hello,

thank you for your reply.

It then may have something to do with several authentication options. I'll have to have a look at that, I think.

I am talking about the client certificate which, on Windows Clients, needs to be created on the client and where a request to the server needs to be made. Or isn't the client request necessary with the current configuration? I am not familiar with certificates, yet, just played around with different VPN protocols and intend to stay with SSTP as it seems to work best.

Porfavor
Posts: 6
Joined: Thu Dec 26, 2019 11:02 pm

Re: SSTP works without certificate

Post by Porfavor » Fri Dec 27, 2019 5:09 pm

Authentification options checked are "EAP" and "MS-Chap v2". On the windows client it's "EAP-MS-Chap v2". Is this supposed to need a client certificate? If not, what method would be the one to use for certficate authentification?

admin
Site Admin
Posts: 531
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: SSTP works without certificate

Post by admin » Sat Dec 28, 2019 8:37 am

Both EAP-MS-CHAPV2 and MS-CHAPV2 are based on username and password.
To use the certificate you should use EAP-TLS.
On the server side it should be called like EAP Microsoft: Smart card or other certificate

Porfavor
Posts: 6
Joined: Thu Dec 26, 2019 11:02 pm

Re: SSTP works without certificate

Post by Porfavor » Sat Dec 28, 2019 6:42 pm

Thank you for explaining. I did that now and it can't - as expected - connect as there is no certificate on/for the client. How am I able to create a certificate for an android client?

Porfavor
Posts: 6
Joined: Thu Dec 26, 2019 11:02 pm

Re: SSTP works without certificate

Post by Porfavor » Sun Dec 29, 2019 1:34 am

Now, I am not able to access the LAN after connecting, which had worked before. I have no idea what's the issue. Have already played around with different settings. I am a bit confused about the IP4 routes, which tell me 10.61.61.2/32 (VPN range - okay), 0.0.0.0/1, 128.0.0.0/1.

The last two values seem not to be correct - I suppose, this should be 255.255.255.0, VPN server?

Porfavor
Posts: 6
Joined: Thu Dec 26, 2019 11:02 pm

Re: SSTP works without certificate

Post by Porfavor » Sun Dec 29, 2019 2:49 am

Nevermind. A complete Restart of router and Server did it. It works again.

Post Reply