So I had a requirement on a VPN server I was setting up not long ago. This requirement was that only a "smartcard logon" cert would be permitted for EAP access into my VPN server. The normal setup information
(http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch1_70.asp) tells you how to setup RRAS to allow authentication via CERT but it does not tell you how to limit which certs are allowed to be used to make that connection.
What is the issue?
Well for example lets say you work for a company that uses 802.1x and a "Client authentication" cert for wireless access. A valid employee would have a client auth cert on their workstation.
Now for security reasons you don't want that user to be able to use that same cert (the client Auth cert for wireless) to connect to the VPN servers. So how do you do it? By default when RRAS is setup to do smart card or certificate authentication it will allow any valid (issued by the correct CA) to connect.
What we want to do is limit it so only a Smart card Logon Cert will work. The key here is the OID for the smart card logon Cert (which is 220.127.116.11.4.1.318.104.22.168)
So follow the directions on setting up your VPN server for "Smart card or Certificate Authentication"
For a little better control of who I let into my VPN servers I also created a Security Group Called "Smart Card VPN Users". The users that I have issued a smart card to are members of this Group.
Now test your connection. With the smart card cert it should allow you to connect. But if you use a Client Auth Cert it should fail.
Please let me know if this works for does not work out for you! :) And enjoy