Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4036
Views
13
Helpful
7
Replies

Anyconnect Secure Mobility Client, Network Access Module, wired PEAP

Go to solution
ngtransge
Level 1
Level 1

‎08-15-2012 03:55 AM - edited ‎03-10-2019 07:25 PM

Hello there,

I am testing AnyConnect Secure Mobility Client, Network Access Module as supplicant with PEAP authentication for wired network users. With default configuration it is working well.  With default configuration it is Trusting any Root CA certificates installed on the OS.  Do you know how to configure NAM that it will validate ACS certificate with specific Root CA Certificate ?

In Network Access Module profile editor it has two options about Certificates:

One is Certificate Trusted Authority which has two options by its self  first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future  in that way.

Second is Certificate Trusted Server Rules,  this option have matching capability by certificate Common Name.  For what can be used this option ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Travis Hysuick
Level 1
Level 1
In response to ngtransge

‎09-24-2012 09:00 AM

The screenshot I attached included the path to the exported Root CA certificate. All I did was export the Root CA certifcate to a file, and include that cert in the profile (this is manual CA provisioning through the Profile Editor directly).

If you have already added the Root CA certificate to the clients trusted certifcate store via a Group Policy Object, you can select the other option "Trust any Root CA installed on the OS", which will work just fine.

If you don't have a Root CA in-house to issue certifcates, and are relying on the ACS self-generated certificcate for management and EAP authentication purposes, you will need to include the locally generated certifcate from each appliance in order to have the client trust the CSACS appliance.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-15-2012 09:24 AM

Hi,

Here is the following guide that will shed some light on validating the server certificate:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1161278

One is Certificate Trusted Authority which has two  options by its self  first is too trust any Root CA certificate that is  installed on OS, and second is to import Root CA certificate in Profile.  Potentially Second option can help in my case, I can manually import  Root CA certificates in each profile. But I think it will be hard to  update Root CA certificates in future  in that way. Root Certificates take some time expire, but you are correct this can be a headache later on the down the road if the root certificate were to expire. However if you are using auto-enrollment then the certificate should renew in a seperate process (http://social.technet.microsoft.com/Forums/sr/winserverDS/thread/55aa1c43-15f3-453c-9223-25517b0584f0). If that isnt the case then you can use the second option you pointed out which you clearly defined.

Second is Certificate Trusted Server Rules,  this option have matching capability by certificate Common Name.  For what can be used this option? Every certificate has a common name (CN) of its identity, if you have a network that has multiple radius servers, you can enter in the CN of the certificates that are presented in the eap exchange.

Tarik Admani
*Please rate helpful posts*

Go to solution
ngtransge
Level 1
Level 1
In response to Tarik Admani

‎08-15-2012 10:12 AM

Hello Tarik,

Can you clarify second option capability?

In Second option which is Certificate Trusted Server Rules. Witch Certificate is matches in this option, locally installed on OS certificates or Identity certificate which ACS/RADIUS sent?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to ngtransge

‎08-15-2012 10:20 AM

The identity certificate authority (I havent used this option before) but it is outlined in the document:

"When the Validate Server Identity option is  configured for the EAP method, the Certificate panel is enabled to allow  you to configure validation rules for Certificate Server or Authority."

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
ngtransge
Level 1
Level 1
In response to Tarik Admani

‎09-21-2012 01:07 AM

Hello,

If I have following CA certificate installed on OS certificate store that is attached here. How can I match this certificate in NAM ? What will be correct “Certificate Trusted Server Rules” rule pattern?

135398-certnew.cer.zip
0 Helpful

Go to solution
Travis Hysuick
Level 1
Level 1
In response to ngtransge

‎09-21-2012 11:07 AM

Normally the way it works is that you set up your Enterprise Root CA, and then have it issue a certifcate for the AAA server (ie ACS, ISE, etc). You then install this certificate on the AAA server and (in an Active Directory environment) add the Root CA certificate to the client systems local certificate store. What that means is that any certificates (such as the one installed on the AAA server) that are presented to the client that are signed by the root are automatically trusted.

Server validation is an extra step in terms of proving the identity of the AAA server to the authenticating client. As such, when you build the policy in the NAM editor, it would look similar to the image below:

I like to use the CN (Common Name) as the match criteria and build my CA issuance policy to always include the FQDN in the certificate for identity purposes.

Hope this helps!

Go to solution
ngtransge
Level 1
Level 1
In response to Travis Hysuick

‎09-23-2012 02:30 AM

Hello Travis,

When you specify Include Root CA Certificate, and path which is C:/temp/certnew.cer, what does it exactly mean it will take certificate from C:/temp/certnew.cer on local computer on which I do profile for NAM and include this certificate in profile, or it will take certificate from C:/temp/certnew.cer, on supplicant computer where NAM is installed with provided profile ?

0 Helpful

Go to solution
Travis Hysuick
Level 1
Level 1
In response to ngtransge

‎09-24-2012 09:00 AM

The screenshot I attached included the path to the exported Root CA certificate. All I did was export the Root CA certifcate to a file, and include that cert in the profile (this is manual CA provisioning through the Profile Editor directly).

If you have already added the Root CA certificate to the clients trusted certifcate store via a Group Policy Object, you can select the other option "Trust any Root CA installed on the OS", which will work just fine.

If you don't have a Root CA in-house to issue certifcates, and are relying on the ACS self-generated certificcate for management and EAP authentication purposes, you will need to include the locally generated certifcate from each appliance in order to have the client trust the CSACS appliance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents