Solved

Certificate based authentication

Posted on 2013-12-18
8
337 Views
Last Modified: 2014-01-26
Hi Experts,

I want to setup standalone CA for issuing certificates for outside domain laptops.
Can you please send me the link or file if you have how to create certificates.
I am trying this more then 1 weeks, but not able to fix it seems some thing i am missing which i am not sure.
Can you please sugg whether root certificate to install/ place it in VPN Appliance hardware or Server Certificate to place, and also do i need to install server certificate along wiht client certificate for authentication.

Regards,
Skumar.
0
Comment
Question by:Skumar_CCSA
  • 4
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39726605
It's tough to say for sure, but what are you trying to secure using the certificates? Typically certs are issued via automation like GPO's or scripts. You can also send certificates to users emails or in download links for them to import. If the users are using a browser to make a connection you can tell them to Accept the certificate found at url xyz... I'm sure you've seen self-signed or expired certificate's prompt you to accept them before, it's the same thing for you if the users are using a browser.
We're going to need more detail on what you are using the certs for.
-rich
0
 

Author Comment

by:Skumar_CCSA
ID: 39727589
HI Rich.

Setting up 2FA for VPN users.

SSL certificate Authentication. ( Root Certificate will be placed in VPN Appliance Hardware, Client Certificate will be installed on Laptops)

VPN appliance will verify client certificate and sign, after successful sign it will send request to RADIUS server for OTP authentication.

I have checked it works well if i remove certificate authentication process, but SSL certificate cannot be skipped in the design.

No GPO since users laptop will b outside network and not member of domain, and cannot afford to have public site for laptop users to download the certificate from web or by them self creating certificate request. Planned all non-domain laptops will have certificates installed manually prior approvals since they are outside users.

I have installed standalone CA and created Root Certificates, and placed in BIG-IP VPN Appliance for certificate verification. VPN Appliance will check for client certificates if laptop user does not have client certificate then the session will be terminated.

Created client certificates and installed on laptop, after the installation i can see the client certificates located in the personal certificate window but it did not work.

Can you please me out with steps for above solution, not sure what is key steps being missed.

Regards,
Skumar
0
 

Author Comment

by:Skumar_CCSA
ID: 39729666
Thanks for your kind help....
Appreciated......
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39731813
I apologize that I'm responding without spending more time reading, but rushed in rl... and wanted to at least give you some links.

Installing certificates for VPN connections shouldn't have changed much between WinServer 2003 and 2008... so that technet article should help.  (It's essentially using the advanced request... still a relatively manual process on the workstation.)

This SANS paper on the subject might help, although it is more geared towards the cisco hardware solution.

If you're using your own root CA, yes, you'll need the CA cert on each of the devices that'll be trusting (usually along with intermediate CA certs.)  The server cert shouldn't be required to be installed on the client though... but the client will need to be able to access the crl location published in the cert.
0
 

Author Comment

by:Skumar_CCSA
ID: 39731836
Hi,

Thanks for response and suggestions.
My design is to have certificate authentication at first place and then RADIUS account authorization.

Yes all client laptops will be issued client certificate for authentication and the root Ca will be imported in the VPN appliance hardware for 1 st level authentication as on when client connect to VPN.I have did everything as described in the steps but something missing not sure what it is or I am doing wrong....

I tried redoing all still stuck at the same stage...can you please share some link if you know how to create own SSL ROOT certificate and client certificate.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39731949
I apologize, I'm not certain I understand.  When you say, create your own SSL ROOT certificate, you aren't referring to creating a self signed certificate for SSL, are you?  Or are you attempting to get the a copy of the CA's public certificate so you can import it elsewhere?  (The first link in my original post will have the simplified instructions for creating the client cert, on the client... and you can export that cert in the certificate MMC.)
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39810941
After going through your link i am able to deploy CA and issue certificates.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now