cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2018
Views
3
Helpful
6
Replies

user authentication with certificates for remote site vpn

CiscogeekIND
Level 1
Level 1

Hi all

We are planning to authenticate the remote site VPN users using certificates, presently they are authenticating with ADS server. we are planning to use our own certificate server. can any body tell me how to configure this certificate authentication for remote site vpn.

Any documentation really help me.

thanks in advance

6 Replies 6

Hi,

If you use ASA:

Look at ASA/PIX 7.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example

Link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example

Link:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

If you use IOS router

Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates

Link:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800948e3.shtml

I hope this helps.

Best regards.

Massimiliano.

Thanks for the reply.

i will check and reply back.

Is there any datasheet or rfc document, that how exactly certification works as authentication.

How asa gets certificate from CA server (Which ports it will use, and how exactly it works).

here we are not pointing to any particular CA server, how does asa know the CA server and download the certificate.

refer to the documentation for "crypto ca trustpoint", "crypto ca authenticate" and "crypto ca enroll" commands.

First of all thanks for the reply.

Here I want to use a seperate server,

After intiating the command

crypto ca enroll CA , how does it point to Third party server(How it finds out the certificate server)?

How does it receive the certificate and where asa will save it.

If you need any updates from me, i will provide my inputs.

You need to import the CA certificate into your ASA that signed your client certificate. Then tick the option Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles 'Require client certificate'. Then in your connection profile choose auth method as AAA as you are not doing cert auth. When you connect to ASA with your IE browser, you should be prompted to choose a client certificate to use for your connection to the ASA. I don't think this works for Firefox as it won't have access to your Windows certificate store. The ASA should look through all its CA trustpoints to find one that matches the CA that signed your client cert, thereby validating your identity. I have only tried this with a Windows user certificate, not a machine certificate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: