Creating a VPN certificate from my Microsoft CA server

I have a Windows 2K3 server configured for Certificate Authority. My question is, we would like our VPN clients to start using a certificate from that server. Our new Cisco ASA will be our VPN server and our one Domain Controller is our radius server. Whether the user dials in or uses broadband, they still come in through our VPN client.

From my CA server, where do I push the VPN certificate? To my ASA VPN server or to my radius server? My second question is, what VPN certificate template should I push out?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
The RADIUS authentication is entirely separate from the certificate piece, so you set up the certificate on the ASA. The firewall will need a certificate for certificate validation of user certificates, but users will only need a certificate generated from the user template.
Your firewall would need a server certificate template and the users would need a user/computer certificate template based on whether you are authenticating the user/computer on the VPN.
AGenMISAuthor Commented:
So no certificate gets added to my Radius Server?
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Jody LemoineNetwork ArchitectCommented:
No. RADIUS authentication is optional and doesn't even begin until both client and server certificates have been processed and the use attempts to log in. It's a totally separate step.
AGenMISAuthor Commented:
Thank you. I take it the RAS and IAS Server certificate is what I should send to the VPN server? If that is the one I send, is there any modifications I need to make to that cert?

Jody LemoineNetwork ArchitectCommented:
The RAS certificate is what's needed.  IAS doesn't need one at all.  Not sure if RAS needs a special certificate though.  I typically don't use RAS when doing VPNs with PKI.
AGenMISAuthor Commented:
The RAS and IAS Server certificate is one certificate. Isn't that the certificate I'm suppose to install on the VPN server from our CA server? I'm having a hard time finding any good documentation on how to setup a VPN certificate from a CA server.

Jody LemoineNetwork ArchitectCommented:
If it's one certificate, then that's the one you should install.  Typically, the request is generated from the RAS machine and then submitted to the CA for processing.  Once you have the CA's response, you can install that on the RAS machine and use it for certificate validation.
AGenMISAuthor Commented:
To sum everything up, have the ASA firewall/server request the RAS and IAS server certificate from my CA server. Then have the users request a certificate from the CA servers web site. Is the Authenticated Session certificate the certificate the users should be requesting? Also, does anything have to be done to the DCs? Sorry for all the questions! I'm not too knowledgable in area.
Jody LemoineNetwork ArchitectCommented:
The users should be requesting a certificate based on the CA's "User Template."  Nothing needs to be done on the DCs as they're not part of the arrangement.  Essentially, it works like this:

User initiates VPN connection and get's the ASA's SSL certificate.  The browser will verify that the server's certificate is signed by a trusted authority and will present a warning to the user if it isn't.  At the same time, the ASA will request a certificate from the browser and will verify that it has been signed by a trusted authority.  Once this transaction is complete, everything falls back to standard RADIUS authentication against the IAS.  Certificates are issued by the CA, used by the client and authenticated against the CA by the ASA.  No other devices need be involved.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AGenMISAuthor Commented:
Haven't tested the resolution to see if it works
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.