08-15-2012 03:55 AM - edited 03-10-2019 07:25 PM
Hello there,
I am testing AnyConnect Secure Mobility Client, Network Access Module as supplicant with PEAP authentication for wired network users. With default configuration it is working well. With default configuration it is Trusting any Root CA certificates installed on the OS. Do you know how to configure NAM that it will validate ACS certificate with specific Root CA Certificate ?
In Network Access Module profile editor it has two options about Certificates:
One is Certificate Trusted Authority which has two options by its self first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future in that way.
Second is Certificate Trusted Server Rules, this option have matching capability by certificate Common Name. For what can be used this option ?
Solved! Go to Solution.
09-24-2012 09:00 AM
The screenshot I attached included the path to the exported Root CA certificate. All I did was export the Root CA certifcate to a file, and include that cert in the profile (this is manual CA provisioning through the Profile Editor directly).
If you have already added the Root CA certificate to the clients trusted certifcate store via a Group Policy Object, you can select the other option "Trust any Root CA installed on the OS", which will work just fine.
If you don't have a Root CA in-house to issue certifcates, and are relying on the ACS self-generated certificcate for management and EAP authentication purposes, you will need to include the locally generated certifcate from each appliance in order to have the client trust the CSACS appliance.
08-15-2012 09:24 AM
Hi,
Here is the following guide that will shed some light on validating the server certificate:
One is Certificate Trusted Authority which has two options by its self first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future in that way. Root Certificates take some time expire, but you are correct this can be a headache later on the down the road if the root certificate were to expire. However if you are using auto-enrollment then the certificate should renew in a seperate process (http://social.technet.microsoft.com/Forums/sr/winserverDS/thread/55aa1c43-15f3-453c-9223-25517b0584f0). If that isnt the case then you can use the second option you pointed out which you clearly defined.
Second is Certificate Trusted Server Rules, this option have matching capability by certificate Common Name. For what can be used this option? Every certificate has a common name (CN) of its identity, if you have a network that has multiple radius servers, you can enter in the CN of the certificates that are presented in the eap exchange.
Tarik Admani
*Please rate helpful posts*
08-15-2012 10:12 AM
Hello Tarik,
Can you clarify second option capability?
In Second option which is Certificate Trusted Server Rules. Witch Certificate is matches in this option, locally installed on OS certificates or Identity certificate which ACS/RADIUS sent?
08-15-2012 10:20 AM
The identity certificate authority (I havent used this option before) but it is outlined in the document:
"When the Validate Server Identity option is configured for the EAP method, the Certificate panel is enabled to allow you to configure validation rules for Certificate Server or Authority."
Thanks,
Tarik Admani
*Please rate helpful posts*
09-21-2012 01:07 AM
09-21-2012 11:07 AM
Normally the way it works is that you set up your Enterprise Root CA, and then have it issue a certifcate for the AAA server (ie ACS, ISE, etc). You then install this certificate on the AAA server and (in an Active Directory environment) add the Root CA certificate to the client systems local certificate store. What that means is that any certificates (such as the one installed on the AAA server) that are presented to the client that are signed by the root are automatically trusted.
Server validation is an extra step in terms of proving the identity of the AAA server to the authenticating client. As such, when you build the policy in the NAM editor, it would look similar to the image below:
I like to use the CN (Common Name) as the match criteria and build my CA issuance policy to always include the FQDN in the certificate for identity purposes.
Hope this helps!
09-23-2012 02:30 AM
Hello Travis,
When you specify Include Root CA Certificate, and path which is C:/temp/certnew.cer, what does it exactly mean it will take certificate from C:/temp/certnew.cer on local computer on which I do profile for NAM and include this certificate in profile, or it will take certificate from C:/temp/certnew.cer, on supplicant computer where NAM is installed with provided profile ?
09-24-2012 09:00 AM
The screenshot I attached included the path to the exported Root CA certificate. All I did was export the Root CA certifcate to a file, and include that cert in the profile (this is manual CA provisioning through the Profile Editor directly).
If you have already added the Root CA certificate to the clients trusted certifcate store via a Group Policy Object, you can select the other option "Trust any Root CA installed on the OS", which will work just fine.
If you don't have a Root CA in-house to issue certifcates, and are relying on the ACS self-generated certificcate for management and EAP authentication purposes, you will need to include the locally generated certifcate from each appliance in order to have the client trust the CSACS appliance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide