Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
5
Replies

Digital certificates in VPN 3000

marconi_souza
Level 1
Level 1

‎09-29-2005 08:09 AM - edited ‎02-21-2020 02:00 PM

Is it possible to use digital certificates to communicate a cisco vpn client 4.0 to a vpn 3000, using ACS (radius) for authentication? If yes, could anyone tell me what to configure in ACS?! I look for this in the net but I find just the configuration of vpn 3000 being it the auth server.

Labels:
0 Helpful
5 Replies 5

mnlatif
Level 3
Level 3

‎09-29-2005 10:43 AM

If you only plan to use Authentication (No Authorization) then you don't need to configure anything on the ACS Server. Everything remains the same as Pre-Shared keys\group Password and user will be prompted for username\password (X-AUTH) after certifiacte verification.

VPN 3000 extracts the group_name from the Certificate "OU" field by default unless you define "Group matching" rules, which give you the option to use other certificate fields for Group assignment.

Regards \\ Naman

0 Helpful

marconi_souza
Level 1
Level 1
In response to mnlatif

‎10-05-2005 01:19 PM

Another question: the certificate i'm using to test has 2 fields "OU" with 2 unequal names. i have to include both in the group matching rule?!

if i use acs for my aaa server, then my auth would be in it, right? i'm planning in do my auth in a domain group in microsoft ad... so, i create a group in vpn3000, another in acs matching with one of vpn3000, and one or more in ad matching with this in acs, right?! in this case, i have to configure something different in acs?

thanks

0 Helpful

marconi_souza
Level 1
Level 1
In response to marconi_souza

‎10-17-2005 07:10 AM

i had a following error during a test with my certificate from ca caixa in vpn3000:

"18832 10/14/2005 18:21:10.090 SEV=3 CAPI/26 RPT=15

CAPI - RSA PKCS1 payload to be decrypted is not in PKCS1 format, bad block type

= [0x1a][0x8]

18834 10/14/2005 18:21:10.090 SEV=3 CERT/9 RPT=15

Certificate (serial number: XXXXXXX) failed validation

Reason: Invalid signature

18836 10/14/2005 18:21:10.090 SEV=4 CERT/3 RPT=15

Certificate is invalid: Invalid signature"

could somebody help me to solve this issue? i had a look in cisco's doc which tells to reinstall the ssl certificate in vpn3000 to solve this problem. it sounds really strange to me...

thanks for replies

0 Helpful

mnlatif
Level 3
Level 3
In response to marconi_souza

‎10-17-2005 11:28 AM

Is the VPN Concentrator Certificate and User certificate issued by the same CA ?

If not, then is the Root CA for User Certificates installed as the trusted CA on VPN 3000 ?

\\ Naman

0 Helpful

marconi_souza
Level 1
Level 1
In response to mnlatif

‎10-18-2005 07:07 AM

Naman, thanks for your reply...

the certs in my work has this chain, that is installed in vpn client and vpn 3000:

ca root

ca caixa

ca caixa pf

the identity cert of vpn 3000 has this chain, that is installed in the equipament as ca certs:

ca root

ca caixa

ca caixa in

so, the vpn 3000 cert has to have ca caixa pf as issuer, like the others? or could it be issued by ca caixa directly?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents