Solved

Certificate authentication from self-signed cisco CA

Posted on 2008-10-29
3
3,926 Views
Last Modified: 2012-06-21
I am using webVPN on a Cisco ASA5510 running 8.0(4) to allow access to several web servers on the private side.  

I am authenticating users through active directory which works fine.

I want to use a second (additional) authentication method of requiring an issued certificate on the client.  This will basically screen who can try to authenicate to my AD (no issued cert, no username/password prompt).  I have generated a self-signed certificate on the ASA, set it up to require a certificate for athentication, but I can not find anything that tells me how to export a paired certificate from the ASA to import onto the clients.

Summarized, how do I use a certificate as additional user authentication using webVPN on a cisco ASA5510.  I'm worried about authenicating specific users only, not the utility of the session encryption (which I can get using a generic certificate).

Have searched high and low both here and on Cisco....with no luck.  Hope someone can help!  Thanks.
0
Comment
Question by:Avi8r
  • 2
3 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22838388
0
 

Author Comment

by:Avi8r
ID: 22847415
Hi Rexxus.  Thanks for the Cisco doc.  Unfortunately it's the doc for the Cisco VPN client functionality (webVPN is clientless).  It did however have a good explaination on loading the CA  and identity certs onto the ASA so I'm going to work with that until I hear differently.  
I have deleted the self-signed certificate and installed one from my CA onto the ASA.  I'm to the point where I get the "certification failure" on the workstation when attempting to hit the box.  I'm close...maybe with the wrong type of certificate on the workstation.  The session cert loaded on the workstation fine so I'm guessing that I need the "cert_client_id.cer loaded onto the workstation.  I have a few things to try on Friday.
Thanks again.  Kurt
0
 

Accepted Solution

by:
Avi8r earned 0 total points
ID: 22858312

I found the final resolution to be installing a self-signed identity certificate, enabling the CA on the ASA, adding a user under the "manage user database" within the local CA tab, and then (here's the kicker) manually  through the CLI allowing the user to pull and certificate off the ASA.

If doing all these steps through the ASDM, you are unable to "allow" a user to grab a certificate (even though there is a button and a check box for allowing users to do so).  So the last step is to issue the "crypto ca server user-db allow <user name> command at the command prompt (not through the ASDM gui).  Then through the gui you can generate a one-time password for the user to be issued the correct personal certificte.

After issuing the command and generating the one-time password, the user is able to download the certificate to the workstation and access all the required services.

Kurt
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now