SSTP VPN Smart Card

RouterOS General
1

Hi,

I would like to know if it’s possible to use the MikroTik RB951G as an SSTP server and authenticate with certificates stored on smart cards.
I have already set-up SSTP with self signed certificates using this tutorial:
http://www.dr0u.com/mikrotik-setup-sstp-server-for-windows-10-client/

I would like to ask if someone got SSTP with Smart cards working, if so, please give me a brief explanation, point me to a tutorial.

I would really appreciate it.

Thank you

2

The post is a little old but glad the article helped, I’m the guy that wrote that one.

Have you found any solution to your smart card problem? I’m not sure exactly sure what are you trying to accomplish but the SSTP settings on Windows give you the option to use a certificate on a smart card, you would have to add a client certificate on the Mikrotik I suppose… Happy to help if you want to share what you’ve tried so far… (I don’t have any smart card hardware myself, may try with a software emulator when I get a chance).

3

Hate to resurrect an old thread, but I’m actually pretty interested in this as well. If you’re in a position to do some testing, I would recommend a phased approach.

First, get smart card authentication working within your Windows environment. I’d recommend using Active Directory with AD Certificate Services set up. This simplifies the process of mapping user certificates to given user accounts (it’s a LOT of work if you use an external issuing CA for user certs). Next, get the SSTP VPN working using username/password. This validates that the users can successfully authenticate against AD through NPS. Once you have that working, I would think it would be as simple as defining the appropriate NPS policy to support certificate based authentication, and reconfiguring the users’ VPN clients to use their smart card certificate. You can optionally enable the “Verify Client Certificate” function on the SSTP server, as long as the SSTP server can reach the CDP to do so.

Sadly, I’m not in a position to test any of this quite yet. I don’t have access to the necessary equipment to make my own smart cards, so I’m not ready to generate client certs. I have gotten an SSTP server working using AD username/password, but I currently have that all disabled in favor of a standalone OpenVPN server.