Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certificate authentication from self-signed cisco CA

Posted on 2008-10-29
3
Medium Priority
?
4,065 Views
Last Modified: 2012-06-21
I am using webVPN on a Cisco ASA5510 running 8.0(4) to allow access to several web servers on the private side.  

I am authenticating users through active directory which works fine.

I want to use a second (additional) authentication method of requiring an issued certificate on the client.  This will basically screen who can try to authenicate to my AD (no issued cert, no username/password prompt).  I have generated a self-signed certificate on the ASA, set it up to require a certificate for athentication, but I can not find anything that tells me how to export a paired certificate from the ASA to import onto the clients.

Summarized, how do I use a certificate as additional user authentication using webVPN on a cisco ASA5510.  I'm worried about authenicating specific users only, not the utility of the session encryption (which I can get using a generic certificate).

Have searched high and low both here and on Cisco....with no luck.  Hope someone can help!  Thanks.
0
Comment
Question by:Avi8r
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22838388
0
 

Author Comment

by:Avi8r
ID: 22847415
Hi Rexxus.  Thanks for the Cisco doc.  Unfortunately it's the doc for the Cisco VPN client functionality (webVPN is clientless).  It did however have a good explaination on loading the CA  and identity certs onto the ASA so I'm going to work with that until I hear differently.  
I have deleted the self-signed certificate and installed one from my CA onto the ASA.  I'm to the point where I get the "certification failure" on the workstation when attempting to hit the box.  I'm close...maybe with the wrong type of certificate on the workstation.  The session cert loaded on the workstation fine so I'm guessing that I need the "cert_client_id.cer loaded onto the workstation.  I have a few things to try on Friday.
Thanks again.  Kurt
0
 

Accepted Solution

by:
Avi8r earned 0 total points
ID: 22858312

I found the final resolution to be installing a self-signed identity certificate, enabling the CA on the ASA, adding a user under the "manage user database" within the local CA tab, and then (here's the kicker) manually  through the CLI allowing the user to pull and certificate off the ASA.

If doing all these steps through the ASDM, you are unable to "allow" a user to grab a certificate (even though there is a button and a check box for allowing users to do so).  So the last step is to issue the "crypto ca server user-db allow <user name> command at the command prompt (not through the ASDM gui).  Then through the gui you can generate a one-time password for the user to be issued the correct personal certificte.

After issuing the command and generating the one-time password, the user is able to download the certificate to the workstation and access all the required services.

Kurt
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question