Solved

Certificate based authentication

Posted on 2013-12-18
8
338 Views
Last Modified: 2014-01-26
Hi Experts,

I want to setup standalone CA for issuing certificates for outside domain laptops.
Can you please send me the link or file if you have how to create certificates.
I am trying this more then 1 weeks, but not able to fix it seems some thing i am missing which i am not sure.
Can you please sugg whether root certificate to install/ place it in VPN Appliance hardware or Server Certificate to place, and also do i need to install server certificate along wiht client certificate for authentication.

Regards,
Skumar.
0
Comment
Question by:Skumar_CCSA
  • 4
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39726605
It's tough to say for sure, but what are you trying to secure using the certificates? Typically certs are issued via automation like GPO's or scripts. You can also send certificates to users emails or in download links for them to import. If the users are using a browser to make a connection you can tell them to Accept the certificate found at url xyz... I'm sure you've seen self-signed or expired certificate's prompt you to accept them before, it's the same thing for you if the users are using a browser.
We're going to need more detail on what you are using the certs for.
-rich
0
 

Author Comment

by:Skumar_CCSA
ID: 39727589
HI Rich.

Setting up 2FA for VPN users.

SSL certificate Authentication. ( Root Certificate will be placed in VPN Appliance Hardware, Client Certificate will be installed on Laptops)

VPN appliance will verify client certificate and sign, after successful sign it will send request to RADIUS server for OTP authentication.

I have checked it works well if i remove certificate authentication process, but SSL certificate cannot be skipped in the design.

No GPO since users laptop will b outside network and not member of domain, and cannot afford to have public site for laptop users to download the certificate from web or by them self creating certificate request. Planned all non-domain laptops will have certificates installed manually prior approvals since they are outside users.

I have installed standalone CA and created Root Certificates, and placed in BIG-IP VPN Appliance for certificate verification. VPN Appliance will check for client certificates if laptop user does not have client certificate then the session will be terminated.

Created client certificates and installed on laptop, after the installation i can see the client certificates located in the personal certificate window but it did not work.

Can you please me out with steps for above solution, not sure what is key steps being missed.

Regards,
Skumar
0
 

Author Comment

by:Skumar_CCSA
ID: 39729666
Thanks for your kind help....
Appreciated......
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39731813
I apologize that I'm responding without spending more time reading, but rushed in rl... and wanted to at least give you some links.

Installing certificates for VPN connections shouldn't have changed much between WinServer 2003 and 2008... so that technet article should help.  (It's essentially using the advanced request... still a relatively manual process on the workstation.)

This SANS paper on the subject might help, although it is more geared towards the cisco hardware solution.

If you're using your own root CA, yes, you'll need the CA cert on each of the devices that'll be trusting (usually along with intermediate CA certs.)  The server cert shouldn't be required to be installed on the client though... but the client will need to be able to access the crl location published in the cert.
0
 

Author Comment

by:Skumar_CCSA
ID: 39731836
Hi,

Thanks for response and suggestions.
My design is to have certificate authentication at first place and then RADIUS account authorization.

Yes all client laptops will be issued client certificate for authentication and the root Ca will be imported in the VPN appliance hardware for 1 st level authentication as on when client connect to VPN.I have did everything as described in the steps but something missing not sure what it is or I am doing wrong....

I tried redoing all still stuck at the same stage...can you please share some link if you know how to create own SSL ROOT certificate and client certificate.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39731949
I apologize, I'm not certain I understand.  When you say, create your own SSL ROOT certificate, you aren't referring to creating a self signed certificate for SSL, are you?  Or are you attempting to get the a copy of the CA's public certificate so you can import it elsewhere?  (The first link in my original post will have the simplified instructions for creating the client cert, on the client... and you can export that cert in the certificate MMC.)
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39810941
After going through your link i am able to deploy CA and issue certificates.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now