Solved

Certificate authentication from self-signed cisco CA

Posted on 2008-10-29
3
4,008 Views
Last Modified: 2012-06-21
I am using webVPN on a Cisco ASA5510 running 8.0(4) to allow access to several web servers on the private side.  

I am authenticating users through active directory which works fine.

I want to use a second (additional) authentication method of requiring an issued certificate on the client.  This will basically screen who can try to authenicate to my AD (no issued cert, no username/password prompt).  I have generated a self-signed certificate on the ASA, set it up to require a certificate for athentication, but I can not find anything that tells me how to export a paired certificate from the ASA to import onto the clients.

Summarized, how do I use a certificate as additional user authentication using webVPN on a cisco ASA5510.  I'm worried about authenicating specific users only, not the utility of the session encryption (which I can get using a generic certificate).

Have searched high and low both here and on Cisco....with no luck.  Hope someone can help!  Thanks.
0
Comment
Question by:Avi8r
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22838388
0
 

Author Comment

by:Avi8r
ID: 22847415
Hi Rexxus.  Thanks for the Cisco doc.  Unfortunately it's the doc for the Cisco VPN client functionality (webVPN is clientless).  It did however have a good explaination on loading the CA  and identity certs onto the ASA so I'm going to work with that until I hear differently.  
I have deleted the self-signed certificate and installed one from my CA onto the ASA.  I'm to the point where I get the "certification failure" on the workstation when attempting to hit the box.  I'm close...maybe with the wrong type of certificate on the workstation.  The session cert loaded on the workstation fine so I'm guessing that I need the "cert_client_id.cer loaded onto the workstation.  I have a few things to try on Friday.
Thanks again.  Kurt
0
 

Accepted Solution

by:
Avi8r earned 0 total points
ID: 22858312

I found the final resolution to be installing a self-signed identity certificate, enabling the CA on the ASA, adding a user under the "manage user database" within the local CA tab, and then (here's the kicker) manually  through the CLI allowing the user to pull and certificate off the ASA.

If doing all these steps through the ASDM, you are unable to "allow" a user to grab a certificate (even though there is a button and a check box for allowing users to do so).  So the last step is to issue the "crypto ca server user-db allow <user name> command at the command prompt (not through the ASDM gui).  Then through the gui you can generate a one-time password for the user to be issued the correct personal certificte.

After issuing the command and generating the one-time password, the user is able to download the certificate to the workstation and access all the required services.

Kurt
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question