Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1319
  • Last Modified:

Creating a VPN certificate from my Microsoft CA server

I have a Windows 2K3 server configured for Certificate Authority. My question is, we would like our VPN clients to start using a certificate from that server. Our new Cisco ASA will be our VPN server and our one Domain Controller is our radius server. Whether the user dials in or uses broadband, they still come in through our VPN client.

From my CA server, where do I push the VPN certificate? To my ASA VPN server or to my radius server? My second question is, what VPN certificate template should I push out?

Thanks
0
AGenMIS
Asked:
AGenMIS
  • 5
  • 5
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
The RADIUS authentication is entirely separate from the certificate piece, so you set up the certificate on the ASA. The firewall will need a certificate for certificate validation of user certificates, but users will only need a certificate generated from the user template.
0
 
andrew1812Commented:
Your firewall would need a server certificate template and the users would need a user/computer certificate template based on whether you are authenticating the user/computer on the VPN.
0
 
AGenMISAuthor Commented:
So no certificate gets added to my Radius Server?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
Jody LemoineNetwork ArchitectCommented:
No. RADIUS authentication is optional and doesn't even begin until both client and server certificates have been processed and the use attempts to log in. It's a totally separate step.
0
 
AGenMISAuthor Commented:
Thank you. I take it the RAS and IAS Server certificate is what I should send to the VPN server? If that is the one I send, is there any modifications I need to make to that cert?

Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
The RAS certificate is what's needed.  IAS doesn't need one at all.  Not sure if RAS needs a special certificate though.  I typically don't use RAS when doing VPNs with PKI.
0
 
AGenMISAuthor Commented:
The RAS and IAS Server certificate is one certificate. Isn't that the certificate I'm suppose to install on the VPN server from our CA server? I'm having a hard time finding any good documentation on how to setup a VPN certificate from a CA server.

Thanks
0
 
Jody LemoineNetwork ArchitectCommented:
If it's one certificate, then that's the one you should install.  Typically, the request is generated from the RAS machine and then submitted to the CA for processing.  Once you have the CA's response, you can install that on the RAS machine and use it for certificate validation.
0
 
AGenMISAuthor Commented:
To sum everything up, have the ASA firewall/server request the RAS and IAS server certificate from my CA server. Then have the users request a certificate from the CA servers web site. Is the Authenticated Session certificate the certificate the users should be requesting? Also, does anything have to be done to the DCs? Sorry for all the questions! I'm not too knowledgable in area.
0
 
Jody LemoineNetwork ArchitectCommented:
The users should be requesting a certificate based on the CA's "User Template."  Nothing needs to be done on the DCs as they're not part of the arrangement.  Essentially, it works like this:

User initiates VPN connection and get's the ASA's SSL certificate.  The browser will verify that the server's certificate is signed by a trusted authority and will present a warning to the user if it isn't.  At the same time, the ASA will request a certificate from the browser and will verify that it has been signed by a trusted authority.  Once this transaction is complete, everything falls back to standard RADIUS authentication against the IAS.  Certificates are issued by the CA, used by the client and authenticated against the CA by the ASA.  No other devices need be involved.
0
 
AGenMISAuthor Commented:
Haven't tested the resolution to see if it works
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now