Solved

Creating a VPN certificate from my Microsoft CA server

Posted on 2012-03-30
11
1,082 Views
Last Modified: 2012-04-20
I have a Windows 2K3 server configured for Certificate Authority. My question is, we would like our VPN clients to start using a certificate from that server. Our new Cisco ASA will be our VPN server and our one Domain Controller is our radius server. Whether the user dials in or uses broadband, they still come in through our VPN client.

From my CA server, where do I push the VPN certificate? To my ASA VPN server or to my radius server? My second question is, what VPN certificate template should I push out?

Thanks
0
Comment
Question by:AGenMIS
  • 5
  • 5
11 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37791037
The RADIUS authentication is entirely separate from the certificate piece, so you set up the certificate on the ASA. The firewall will need a certificate for certificate validation of user certificates, but users will only need a certificate generated from the user template.
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37792208
Your firewall would need a server certificate template and the users would need a user/computer certificate template based on whether you are authenticating the user/computer on the VPN.
0
 

Author Comment

by:AGenMIS
ID: 37800407
So no certificate gets added to my Radius Server?
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37800431
No. RADIUS authentication is optional and doesn't even begin until both client and server certificates have been processed and the use attempts to log in. It's a totally separate step.
0
 

Author Comment

by:AGenMIS
ID: 37801745
Thank you. I take it the RAS and IAS Server certificate is what I should send to the VPN server? If that is the one I send, is there any modifications I need to make to that cert?

Thanks
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37801950
The RAS certificate is what's needed.  IAS doesn't need one at all.  Not sure if RAS needs a special certificate though.  I typically don't use RAS when doing VPNs with PKI.
0
 

Author Comment

by:AGenMIS
ID: 37802022
The RAS and IAS Server certificate is one certificate. Isn't that the certificate I'm suppose to install on the VPN server from our CA server? I'm having a hard time finding any good documentation on how to setup a VPN certificate from a CA server.

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37802041
If it's one certificate, then that's the one you should install.  Typically, the request is generated from the RAS machine and then submitted to the CA for processing.  Once you have the CA's response, you can install that on the RAS machine and use it for certificate validation.
0
 

Author Comment

by:AGenMIS
ID: 37802959
To sum everything up, have the ASA firewall/server request the RAS and IAS server certificate from my CA server. Then have the users request a certificate from the CA servers web site. Is the Authenticated Session certificate the certificate the users should be requesting? Also, does anything have to be done to the DCs? Sorry for all the questions! I'm not too knowledgable in area.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 37802989
The users should be requesting a certificate based on the CA's "User Template."  Nothing needs to be done on the DCs as they're not part of the arrangement.  Essentially, it works like this:

User initiates VPN connection and get's the ASA's SSL certificate.  The browser will verify that the server's certificate is signed by a trusted authority and will present a warning to the user if it isn't.  At the same time, the ASA will request a certificate from the browser and will verify that it has been signed by a trusted authority.  Once this transaction is complete, everything falls back to standard RADIUS authentication against the IAS.  Certificates are issued by the CA, used by the client and authenticated against the CA by the ASA.  No other devices need be involved.
0
 

Author Closing Comment

by:AGenMIS
ID: 37871002
Haven't tested the resolution to see if it works
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now