Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

user authentication with certificates for remote site vpn

Hi all

We are planning to authenticate the remote site VPN users using certificates, presently they are authenticating with ADS server. we are planning to use our own certificate server. can any body tell me how to configure this certificate authentication for remote site vpn.

Any documentation really help me.

thanks in advance

6 REPLIES

Re: user authentication with certificates for remote site vpn

Hi,

If you use ASA:

Look at ASA/PIX 7.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example

Link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example

Link:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

If you use IOS router

Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates

Link:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800948e3.shtml

I hope this helps.

Best regards.

Massimiliano.

New Member

Re: user authentication with certificates for remote site vpn

Thanks for the reply.

i will check and reply back.

Is there any datasheet or rfc document, that how exactly certification works as authentication.

How asa gets certificate from CA server (Which ports it will use, and how exactly it works).

New Member

Re: user authentication with certificates for remote site vpn

here we are not pointing to any particular CA server, how does asa know the CA server and download the certificate.

Gold

Re: user authentication with certificates for remote site vpn

refer to the documentation for "crypto ca trustpoint", "crypto ca authenticate" and "crypto ca enroll" commands.

New Member

Re: user authentication with certificates for remote site vpn

First of all thanks for the reply.

Here I want to use a seperate server,

After intiating the command

crypto ca enroll CA , how does it point to Third party server(How it finds out the certificate server)?

How does it receive the certificate and where asa will save it.

If you need any updates from me, i will provide my inputs.

New Member

Re: user authentication with certificates for remote site vpn

You need to import the CA certificate into your ASA that signed your client certificate. Then tick the option Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles 'Require client certificate'. Then in your connection profile choose auth method as AAA as you are not doing cert auth. When you connect to ASA with your IE browser, you should be prompted to choose a client certificate to use for your connection to the ASA. I don't think this works for Firefox as it won't have access to your Windows certificate store. The ASA should look through all its CA trustpoints to find one that matches the CA that signed your client cert, thereby validating your identity. I have only tried this with a Windows user certificate, not a machine certificate.

1606
Views
3
Helpful
6
Replies