Creating a VPN certificate from my Microsoft CA server

I have a Windows 2K3 server configured for Certificate Authority. My question is, we would like our VPN clients to start using a certificate from that server. Our new Cisco ASA will be our VPN server and our one Domain Controller is our radius server. Whether the user dials in or uses broadband, they still come in through our VPN client.

From my CA server, where do I push the VPN certificate? To my ASA VPN server or to my radius server? My second question is, what VPN certificate template should I push out?

Thanks
AGenMISAsked:
Who is Participating?
 
Jody LemoineConnect With a Mentor Network ArchitectCommented:
The users should be requesting a certificate based on the CA's "User Template."  Nothing needs to be done on the DCs as they're not part of the arrangement.  Essentially, it works like this:

User initiates VPN connection and get's the ASA's SSL certificate.  The browser will verify that the server's certificate is signed by a trusted authority and will present a warning to the user if it isn't.  At the same time, the ASA will request a certificate from the browser and will verify that it has been signed by a trusted authority.  Once this transaction is complete, everything falls back to standard RADIUS authentication against the IAS.  Certificates are issued by the CA, used by the client and authenticated against the CA by the ASA.  No other devices need be involved.
0
 
Jody LemoineNetwork ArchitectCommented:
The RADIUS authentication is entirely separate from the certificate piece, so you set up the certificate on the ASA. The firewall will need a certificate for certificate validation of user certificates, but users will only need a certificate generated from the user template.
0
 
andrew1812Commented:
Your firewall would need a server certificate template and the users would need a user/computer certificate template based on whether you are authenticating the user/computer on the VPN.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
AGenMISAuthor Commented:
So no certificate gets added to my Radius Server?
0
 
Jody LemoineNetwork ArchitectCommented:
No. RADIUS authentication is optional and doesn't even begin until both client and server certificates have been processed and the use attempts to log in. It's a totally separate step.
0
 
AGenMISAuthor Commented:
Thank you. I take it the RAS and IAS Server certificate is what I should send to the VPN server? If that is the one I send, is there any modifications I need to make to that cert?

Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
The RAS certificate is what's needed.  IAS doesn't need one at all.  Not sure if RAS needs a special certificate though.  I typically don't use RAS when doing VPNs with PKI.
0
 
AGenMISAuthor Commented:
The RAS and IAS Server certificate is one certificate. Isn't that the certificate I'm suppose to install on the VPN server from our CA server? I'm having a hard time finding any good documentation on how to setup a VPN certificate from a CA server.

Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
If it's one certificate, then that's the one you should install.  Typically, the request is generated from the RAS machine and then submitted to the CA for processing.  Once you have the CA's response, you can install that on the RAS machine and use it for certificate validation.
0
 
AGenMISAuthor Commented:
To sum everything up, have the ASA firewall/server request the RAS and IAS server certificate from my CA server. Then have the users request a certificate from the CA servers web site. Is the Authenticated Session certificate the certificate the users should be requesting? Also, does anything have to be done to the DCs? Sorry for all the questions! I'm not too knowledgable in area.
0
 
AGenMISAuthor Commented:
Haven't tested the resolution to see if it works
0
All Courses

From novice to tech pro — start learning today.