Solved

Certificate authentication from self-signed cisco CA

Posted on 2008-10-29
3
3,985 Views
Last Modified: 2012-06-21
I am using webVPN on a Cisco ASA5510 running 8.0(4) to allow access to several web servers on the private side.  

I am authenticating users through active directory which works fine.

I want to use a second (additional) authentication method of requiring an issued certificate on the client.  This will basically screen who can try to authenicate to my AD (no issued cert, no username/password prompt).  I have generated a self-signed certificate on the ASA, set it up to require a certificate for athentication, but I can not find anything that tells me how to export a paired certificate from the ASA to import onto the clients.

Summarized, how do I use a certificate as additional user authentication using webVPN on a cisco ASA5510.  I'm worried about authenicating specific users only, not the utility of the session encryption (which I can get using a generic certificate).

Have searched high and low both here and on Cisco....with no luck.  Hope someone can help!  Thanks.
0
Comment
Question by:Avi8r
  • 2
3 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22838388
0
 

Author Comment

by:Avi8r
ID: 22847415
Hi Rexxus.  Thanks for the Cisco doc.  Unfortunately it's the doc for the Cisco VPN client functionality (webVPN is clientless).  It did however have a good explaination on loading the CA  and identity certs onto the ASA so I'm going to work with that until I hear differently.  
I have deleted the self-signed certificate and installed one from my CA onto the ASA.  I'm to the point where I get the "certification failure" on the workstation when attempting to hit the box.  I'm close...maybe with the wrong type of certificate on the workstation.  The session cert loaded on the workstation fine so I'm guessing that I need the "cert_client_id.cer loaded onto the workstation.  I have a few things to try on Friday.
Thanks again.  Kurt
0
 

Accepted Solution

by:
Avi8r earned 0 total points
ID: 22858312

I found the final resolution to be installing a self-signed identity certificate, enabling the CA on the ASA, adding a user under the "manage user database" within the local CA tab, and then (here's the kicker) manually  through the CLI allowing the user to pull and certificate off the ASA.

If doing all these steps through the ASDM, you are unable to "allow" a user to grab a certificate (even though there is a button and a check box for allowing users to do so).  So the last step is to issue the "crypto ca server user-db allow <user name> command at the command prompt (not through the ASDM gui).  Then through the gui you can generate a one-time password for the user to be issued the correct personal certificte.

After issuing the command and generating the one-time password, the user is able to download the certificate to the workstation and access all the required services.

Kurt
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 52
Use packet tracer to verify anyconnect VPN 11 62
File upload fails with SSL Certificate 3 26
Cisco Wireless Access Controller 3 14
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question