Switching from pre-shared keys to certificates for remote access VPN

Unanswered Question
Feb 4th, 2010
User Badges:

We have old VPN3000 concentrators that service PPTP, L2TP/IPSec and Cisco VPN Client connections from our users.  For the L2TP/IPSec and Cisco VPN Client users, we use preshared keys for initial authentication, then have users provide a username and password for the next authentication phase. We are looking at migrating to the ASA platform, which of course does not support PPTP, but we want to maintain L2TP/IPSec and Cisco VPN Client options as well as add AnyConnect capability.


What we would like to do is replace the preshared key authentication that we used with the VPN3000s with machine certificate authentication.  We do not want to have to generate user certificates, rather it was our understanding that the ASA certificate would be used to authenticate the ASA to the connecting client, the client would have to import the certificate and set up the VPN clients to trust it, and then still have the users present a username and password for the next authentication phase.


The available documentation, for example http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml , only references situations where the users have to request a user certificate from a CA, which is not something we want to do.


Is what I describe possible?  Or do we just not have a clear understanding on how the whole process works?


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Fri, 02/05/2010 - 09:54
User Badges:
  • Cisco Employee,

Hi Julian,


When using machine certificate authentication with l2tp/ipsec this certificate will be used for IKE authentication and afterwards this has been completed the user will have to give the user credentials.


The way this works is you need to have 2 certificates on the ASA, a Root Certificate Authority and an ID certificate, this would mean you need to enroll your ASA to your CA server, then you need to have a machine certificate for each computer that will be connecting since this is the one used for IKE validation.


In the scenario where Cisco VPN client is used, then the  machine certificate will not work (AFIK) and instead an ID certificate will have to be granted, and the process is the same as the previous client.


When using Anyconnect is when you might be kind of accurate in your statements, only if you are not using client authentication via certificates, with anyconnect you will use an SSL certificate that the client will need to trust (if not issued by a trusted authority) and the the connection will take place.


Please let me know if this is clear.

bogdan.dobrota@... Mon, 03/29/2010 - 08:38
User Badges:

Hi Ivan,


I am as well intersted in this topic as well.

The idea is following:

1. Machine certificates are tight to specific computers (make them via autoenrollment and non-exportable)

2. This can be used for the IKE phase 1 to build the secure channel (instead of using the Group Passwords)

(you can lock on the group the users, but this does not help, as if you know the password for the Groups is useless)

3. On the last part/phase the centralized users (either via RADIUS, Active Directory, LDAP etc) are asked for credentials (via secured communication agreed on the phase 1).


For medium to large companies thie make sense, since lot of them have already deployed the PKI infrastructure.


Theses questions are coming in place:

- is it possible to be done via Cisco VPN client? or

- have to done via normal/native Microsoft DUN (Dial Up Networking) client, which is most used for L2TP/IPSec


Looking forward for your feedback.


Kind Regards,

Bogdan

Actions

This Discussion

Related Content