Solved

Certificate authentication from self-signed cisco CA

Posted on 2008-10-29
3
3,965 Views
Last Modified: 2012-06-21
I am using webVPN on a Cisco ASA5510 running 8.0(4) to allow access to several web servers on the private side.  

I am authenticating users through active directory which works fine.

I want to use a second (additional) authentication method of requiring an issued certificate on the client.  This will basically screen who can try to authenicate to my AD (no issued cert, no username/password prompt).  I have generated a self-signed certificate on the ASA, set it up to require a certificate for athentication, but I can not find anything that tells me how to export a paired certificate from the ASA to import onto the clients.

Summarized, how do I use a certificate as additional user authentication using webVPN on a cisco ASA5510.  I'm worried about authenicating specific users only, not the utility of the session encryption (which I can get using a generic certificate).

Have searched high and low both here and on Cisco....with no luck.  Hope someone can help!  Thanks.
0
Comment
Question by:Avi8r
  • 2
3 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22838388
0
 

Author Comment

by:Avi8r
ID: 22847415
Hi Rexxus.  Thanks for the Cisco doc.  Unfortunately it's the doc for the Cisco VPN client functionality (webVPN is clientless).  It did however have a good explaination on loading the CA  and identity certs onto the ASA so I'm going to work with that until I hear differently.  
I have deleted the self-signed certificate and installed one from my CA onto the ASA.  I'm to the point where I get the "certification failure" on the workstation when attempting to hit the box.  I'm close...maybe with the wrong type of certificate on the workstation.  The session cert loaded on the workstation fine so I'm guessing that I need the "cert_client_id.cer loaded onto the workstation.  I have a few things to try on Friday.
Thanks again.  Kurt
0
 

Accepted Solution

by:
Avi8r earned 0 total points
ID: 22858312

I found the final resolution to be installing a self-signed identity certificate, enabling the CA on the ASA, adding a user under the "manage user database" within the local CA tab, and then (here's the kicker) manually  through the CLI allowing the user to pull and certificate off the ASA.

If doing all these steps through the ASDM, you are unable to "allow" a user to grab a certificate (even though there is a button and a check box for allowing users to do so).  So the last step is to issue the "crypto ca server user-db allow <user name> command at the command prompt (not through the ASDM gui).  Then through the gui you can generate a one-time password for the user to be issued the correct personal certificte.

After issuing the command and generating the one-time password, the user is able to download the certificate to the workstation and access all the required services.

Kurt
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question