How to set up Windows Server 2008 certificate server for Cisco AnyConnect VPN authentication

I am tasked with an immediate need to configure a windows server that can serve as a CA such that I can use it to generate certificates that can be deployed to VPN-enabled computers by Group Policy to serve as a second means of authentication on top of a username and password.

My Cisco AnyConnect VPN is served up from a Cisco ASA 5515 firewall with latest and greatest firmware (9.2(2)8). I installed an SSL certificate from GoDaddy, so that the ASA is identified as a trusted VPN connection. But, I'm under the impression that VPN clients need a certificate on the native machine in order to provide a second form of authentication and that the SSL certificate on the ASA identifying it as a trusted VPN connection does not actually serve as a valid 'factor' in multi-factor authentication terms.

In the end, my VPN connection needs a second factor of authentication on top of the first factor (RADIUS).  I'm, again, under the impression I need to go down the road of an internal server as a CA.  However, I have done zero work with certificates and certificate servers in this capacity and it's all new to me.  Given that I have the GoDaddy SSL cert on the ASA, I wonder if there is a way to leverage that.

Reading up on it, I'm finding myself questioning whether I need a standalone CA vs an enterprise CA, if I can install it on a domain controller or if it should be installed on a member server, how the certificate generation and deployment process to VPN clients (Group Policy) all comes together.

Hopefully having described my situation, what I'm working with, what I need to accomplish in some form or another, and what I'm specifically trying to vet out will help someone help provide me some direction.
LVL 3
djhathAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
djhathAuthor Commented:
Thanks, Pete.  I came across your article last night and had it separately bookmarked.  I started digging into your approach and trying to adapt it to the leverage the existing GoDaddy CA certificate and corresponding Identity certificate installed on the ASA.  However, what I forgot to mention was that I have a failover pair and the ASA cannot be set-up as a CA server when failover is enabled.
0
Pete LongTechnical ConsultantCommented:
Ah ok in that case id setup a CA on a windows server, import the CA cert onto the ASA as a trusted authority, then issue 'computer certificates' to the remote machines.
Deploying Certificates via 'Auto Enrollment'

P
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

djhathAuthor Commented:
Thanks, Pete. I will give that a shot and report back.
0
djhathAuthor Commented:
You have been a tremendous help. I have deployed the certificates as your article depicts. I am going to adjust my RADIUS configuration and test authentication with the certificate.
0
djhathAuthor Commented:
Much closer, but not quite there yet.  I have successfully exported and imported the Windows domain CA certificate into the ASA.  To test, I have set the authentication mechanism to Certificate from AAA. When I attempt to connect with the AnyConnect client, it prompts with the machine's certificate , which I am supposed to select for authentication. I select it, and responds back with 'Certificate Validation Failure'.
0
Pete LongTechnical ConsultantCommented:
Does the remote computer have a certificate issued from your PKI on it?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.