You need a Root CA (PKI) to produce Client Certificate(s).
Install Client Cert on Notebook of the User.
Install Root CA Certificate on Notebook of the User.
Install Root CA Certficate under "Trusted Client Root CA" on IVE
Configure on IVE Auth.Server... Certificateserver.
Configure on IVE Realm which uses this Certificateserver for Auth.
Configure on IVE Roleapping Rules on Real Level when Certattribute CN is * then assign role VPN User.
Thats the whole rap.
The only problem or most of the support may be enrollement of clientcertificates and renewing certificates after they expire. Otherwise this is a very nice method as it does not need users interaction, and its very safe.
You can also enforce that the vpn end devices must be corporate client devices, marked with a clientcertificate.
I need a pretty simple document that practice doing this using WinK3 cert manager, My Email Address is firstname.lastname@example.org
Thanks a lots
Spacyfreak gave you some good ideas about the whole stuff.
First of all we assume, the workstations have a valid USER cert.
(we are not talking about machine certs here - that would be covered by host-checker)
- create a new auth server as a certificate server
User Name Template: is the only stuff that is important here...
f.e. <certAttr.altName.UPN> for User principal name
- go to configuration -> Certificates -> Trusted Client CAs
Import Root and maybe also intermediate CA certificate
- create a new realm
User the certificate server auth server entry for authentication
Go to authentication policy certificate and select "Only allow user with a client-side certificate signed by Trusted Client CAs to sign in...)
That's it ...
* -> to Role
Everybody with valid user cert will be able to logon.