Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to set up Windows Server 2008 certificate server for Cisco AnyConnect VPN authentication

Posted on 2014-11-01
7
Medium Priority
?
692 Views
Last Modified: 2015-02-11
I am tasked with an immediate need to configure a windows server that can serve as a CA such that I can use it to generate certificates that can be deployed to VPN-enabled computers by Group Policy to serve as a second means of authentication on top of a username and password.

My Cisco AnyConnect VPN is served up from a Cisco ASA 5515 firewall with latest and greatest firmware (9.2(2)8). I installed an SSL certificate from GoDaddy, so that the ASA is identified as a trusted VPN connection. But, I'm under the impression that VPN clients need a certificate on the native machine in order to provide a second form of authentication and that the SSL certificate on the ASA identifying it as a trusted VPN connection does not actually serve as a valid 'factor' in multi-factor authentication terms.

In the end, my VPN connection needs a second factor of authentication on top of the first factor (RADIUS).  I'm, again, under the impression I need to go down the road of an internal server as a CA.  However, I have done zero work with certificates and certificate servers in this capacity and it's all new to me.  Given that I have the GoDaddy SSL cert on the ASA, I wonder if there is a way to leverage that.

Reading up on it, I'm finding myself questioning whether I need a standalone CA vs an enterprise CA, if I can install it on a domain controller or if it should be installed on a member server, how the certificate generation and deployment process to VPN clients (Group Policy) all comes together.

Hopefully having described my situation, what I'm working with, what I need to accomplish in some form or another, and what I'm specifically trying to vet out will help someone help provide me some direction.
0
Comment
Question by:djhath
  • 4
  • 3
7 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40417285
0
 
LVL 3

Author Comment

by:djhath
ID: 40417305
Thanks, Pete.  I came across your article last night and had it separately bookmarked.  I started digging into your approach and trying to adapt it to the leverage the existing GoDaddy CA certificate and corresponding Identity certificate installed on the ASA.  However, what I forgot to mention was that I have a failover pair and the ASA cannot be set-up as a CA server when failover is enabled.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40417411
Ah ok in that case id setup a CA on a windows server, import the CA cert onto the ASA as a trusted authority, then issue 'computer certificates' to the remote machines.
Deploying Certificates via 'Auto Enrollment'

P
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Author Comment

by:djhath
ID: 40417584
Thanks, Pete. I will give that a shot and report back.
0
 
LVL 3

Author Comment

by:djhath
ID: 40417807
You have been a tremendous help. I have deployed the certificates as your article depicts. I am going to adjust my RADIUS configuration and test authentication with the certificate.
0
 
LVL 3

Author Comment

by:djhath
ID: 40418326
Much closer, but not quite there yet.  I have successfully exported and imported the Windows domain CA certificate into the ASA.  To test, I have set the authentication mechanism to Certificate from AAA. When I attempt to connect with the AnyConnect client, it prompts with the machine's certificate , which I am supposed to select for authentication. I select it, and responds back with 'Certificate Validation Failure'.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40419435
Does the remote computer have a certificate issued from your PKI on it?
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question