Solved

Certificate based authentication

Posted on 2013-12-18
8
345 Views
Last Modified: 2014-01-26
Hi Experts,

I want to setup standalone CA for issuing certificates for outside domain laptops.
Can you please send me the link or file if you have how to create certificates.
I am trying this more then 1 weeks, but not able to fix it seems some thing i am missing which i am not sure.
Can you please sugg whether root certificate to install/ place it in VPN Appliance hardware or Server Certificate to place, and also do i need to install server certificate along wiht client certificate for authentication.

Regards,
Skumar.
0
Comment
Question by:Skumar_CCSA
  • 4
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39726605
It's tough to say for sure, but what are you trying to secure using the certificates? Typically certs are issued via automation like GPO's or scripts. You can also send certificates to users emails or in download links for them to import. If the users are using a browser to make a connection you can tell them to Accept the certificate found at url xyz... I'm sure you've seen self-signed or expired certificate's prompt you to accept them before, it's the same thing for you if the users are using a browser.
We're going to need more detail on what you are using the certs for.
-rich
0
 

Author Comment

by:Skumar_CCSA
ID: 39727589
HI Rich.

Setting up 2FA for VPN users.

SSL certificate Authentication. ( Root Certificate will be placed in VPN Appliance Hardware, Client Certificate will be installed on Laptops)

VPN appliance will verify client certificate and sign, after successful sign it will send request to RADIUS server for OTP authentication.

I have checked it works well if i remove certificate authentication process, but SSL certificate cannot be skipped in the design.

No GPO since users laptop will b outside network and not member of domain, and cannot afford to have public site for laptop users to download the certificate from web or by them self creating certificate request. Planned all non-domain laptops will have certificates installed manually prior approvals since they are outside users.

I have installed standalone CA and created Root Certificates, and placed in BIG-IP VPN Appliance for certificate verification. VPN Appliance will check for client certificates if laptop user does not have client certificate then the session will be terminated.

Created client certificates and installed on laptop, after the installation i can see the client certificates located in the personal certificate window but it did not work.

Can you please me out with steps for above solution, not sure what is key steps being missed.

Regards,
Skumar
0
 

Author Comment

by:Skumar_CCSA
ID: 39729666
Thanks for your kind help....
Appreciated......
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 30

Expert Comment

by:Rich Weissler
ID: 39731813
I apologize that I'm responding without spending more time reading, but rushed in rl... and wanted to at least give you some links.

Installing certificates for VPN connections shouldn't have changed much between WinServer 2003 and 2008... so that technet article should help.  (It's essentially using the advanced request... still a relatively manual process on the workstation.)

This SANS paper on the subject might help, although it is more geared towards the cisco hardware solution.

If you're using your own root CA, yes, you'll need the CA cert on each of the devices that'll be trusting (usually along with intermediate CA certs.)  The server cert shouldn't be required to be installed on the client though... but the client will need to be able to access the crl location published in the cert.
0
 

Author Comment

by:Skumar_CCSA
ID: 39731836
Hi,

Thanks for response and suggestions.
My design is to have certificate authentication at first place and then RADIUS account authorization.

Yes all client laptops will be issued client certificate for authentication and the root Ca will be imported in the VPN appliance hardware for 1 st level authentication as on when client connect to VPN.I have did everything as described in the steps but something missing not sure what it is or I am doing wrong....

I tried redoing all still stuck at the same stage...can you please share some link if you know how to create own SSL ROOT certificate and client certificate.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39731949
I apologize, I'm not certain I understand.  When you say, create your own SSL ROOT certificate, you aren't referring to creating a self signed certificate for SSL, are you?  Or are you attempting to get the a copy of the CA's public certificate so you can import it elsewhere?  (The first link in my original post will have the simplified instructions for creating the client cert, on the client... and you can export that cert in the certificate MMC.)
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39810941
After going through your link i am able to deploy CA and issue certificates.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question