Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Creating a VPN certificate from my Microsoft CA server

Posted on 2012-03-30
11
Medium Priority
?
1,206 Views
Last Modified: 2012-04-20
I have a Windows 2K3 server configured for Certificate Authority. My question is, we would like our VPN clients to start using a certificate from that server. Our new Cisco ASA will be our VPN server and our one Domain Controller is our radius server. Whether the user dials in or uses broadband, they still come in through our VPN client.

From my CA server, where do I push the VPN certificate? To my ASA VPN server or to my radius server? My second question is, what VPN certificate template should I push out?

Thanks
0
Comment
Question by:AGenMIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37791037
The RADIUS authentication is entirely separate from the certificate piece, so you set up the certificate on the ASA. The firewall will need a certificate for certificate validation of user certificates, but users will only need a certificate generated from the user template.
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37792208
Your firewall would need a server certificate template and the users would need a user/computer certificate template based on whether you are authenticating the user/computer on the VPN.
0
 

Author Comment

by:AGenMIS
ID: 37800407
So no certificate gets added to my Radius Server?
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37800431
No. RADIUS authentication is optional and doesn't even begin until both client and server certificates have been processed and the use attempts to log in. It's a totally separate step.
0
 

Author Comment

by:AGenMIS
ID: 37801745
Thank you. I take it the RAS and IAS Server certificate is what I should send to the VPN server? If that is the one I send, is there any modifications I need to make to that cert?

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37801950
The RAS certificate is what's needed.  IAS doesn't need one at all.  Not sure if RAS needs a special certificate though.  I typically don't use RAS when doing VPNs with PKI.
0
 

Author Comment

by:AGenMIS
ID: 37802022
The RAS and IAS Server certificate is one certificate. Isn't that the certificate I'm suppose to install on the VPN server from our CA server? I'm having a hard time finding any good documentation on how to setup a VPN certificate from a CA server.

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37802041
If it's one certificate, then that's the one you should install.  Typically, the request is generated from the RAS machine and then submitted to the CA for processing.  Once you have the CA's response, you can install that on the RAS machine and use it for certificate validation.
0
 

Author Comment

by:AGenMIS
ID: 37802959
To sum everything up, have the ASA firewall/server request the RAS and IAS server certificate from my CA server. Then have the users request a certificate from the CA servers web site. Is the Authenticated Session certificate the certificate the users should be requesting? Also, does anything have to be done to the DCs? Sorry for all the questions! I'm not too knowledgable in area.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 1500 total points
ID: 37802989
The users should be requesting a certificate based on the CA's "User Template."  Nothing needs to be done on the DCs as they're not part of the arrangement.  Essentially, it works like this:

User initiates VPN connection and get's the ASA's SSL certificate.  The browser will verify that the server's certificate is signed by a trusted authority and will present a warning to the user if it isn't.  At the same time, the ASA will request a certificate from the browser and will verify that it has been signed by a trusted authority.  Once this transaction is complete, everything falls back to standard RADIUS authentication against the IAS.  Certificates are issued by the CA, used by the client and authenticated against the CA by the ASA.  No other devices need be involved.
0
 

Author Closing Comment

by:AGenMIS
ID: 37871002
Haven't tested the resolution to see if it works
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question