Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
6
Helpful
3
Replies

Cisco VPN Client - Real user authentication via digital certificates

mhoe
Level 1
Level 1

‎08-05-2004 04:49 AM - edited ‎02-21-2020 10:10 AM

Hello!

I know about the features for using certificates with the Cisco VPN Client and VPN Concentrator/PIX. These features still don't satisfy our needs because to my opinion there is no real user authentication.

Let me explain this:

If a user "authenticates" via digital certificate the VPN Gateway (PIX or Concentrator) checks his certificate and - if successful - allows him to connect. But the only thing the Gateway knows about the user at that time is that he has a valid certificate. So in a large company with an existing PKI I would have to provide extra VPN user certificates. Also accounting (by RADIUS) on these connections shows "unknown" in the username-field.

There are two ways to avoid this (on a vpn concentrator). Either I build a Group matching policy where I define rules for each single user certificate which is quiet uncomfortable. Or I force all users to authenticate (this time a real user authentication) via username and password which I wanted to avoid.

So to my mind although the Cisco VPN Client’s feature "User authentication via digital certificates" provides a higher security level than working with preshared keys (group passwords) it doesn’t realize an authentication in it’s original meaning - identifying a single user to decide whether he is allowed to access or not - though it validates that he is trustable.

Other clients e.g. the MS native L2TP/IPSec Client have the feature to authenticate users by contacting an AD or RADIUS (EAP) server. Does Cisco provide or plan a solution for user authentication via digital certificates?

Labels:
0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎08-05-2004 05:55 AM

You can config a 3000 to use certs and NT domain/local user database/AD authentication.

dhucaby
Level 1
Level 1

‎08-05-2004 11:46 AM

Hi,

I think the whole idea behind using digital certificates is that a certificate proves a couple of things: your identity (positive proof that you have been granted a certificate and are using it), and your "trustability".

The certificate itself contains information about you (the end user), your organization, etc. When you present the certificate to the VPN gateway, that says the user's identity is you. You're right - in a way, it does only prove that whoever has the certificate appears to be you. However, in order to use the certificate in the VPN client, you are required to enter a challenge password or PIN that "unlocks" the certificate for use each time a VPN connection is made. If someone steals your certificate, they can't use it because they don't know its password.

Now you have a two-faceted authentication scheme: Something you have (the certificate) and something only you could know (the password or PIN).

As for an organization with an existing PKI, I think you can merge the two PKI environments. Everything uses X.509v3 certificates, so all you need to do is have the VPN gateway enroll itself with the existing PKI CA. Now the gateway and users have the same trustpoint. Just make sure that the existing CA can support SCEP (simple certificate enrollment protocol) that all Cisco devices use. SCEP is a common addition to most CAs. (If you're using a Microsoft Windows 2000/2003 server CA, there is a separate or additional piece to load to add SCEP capability.)

The down side of this is that all of your existing PKI users now have valid certificates, meaning that all of them could potentially connect to the VPN gateway. You might want to allow only a subset of users VPN remote access. That's where authorization comes in. Even though a user can be authenticated (proof of identity), he/she must then be authorized (allowed access).

That can be done by configuring certificate group matching on the VPN gateway, where certain certificate fields are matched and assigned to receive specific VPN group policies. (On a Cisco VPN3K, see Configuration->User Management->Group Matching).

Otherwise, you can do authorization by the addition of a RADIUS or LDAP server. This is done in individual VPN group configurations, under the User Management->Groups->IPSec tab.

One last note - you described using RADIUS accounting, only to see "unknown" usernames in the records. To correct this, go into the VPN group configuration. Under the IPSec tab, look for "DN Field". There, you can select the certificate credential info that will become the username. Usually, the user will fill out their whole name in the "CN" field when they enroll for a certificate.

Hope this helps,

Dave Hucaby, CCIE#4594 hucaby@uky.edu

8dstaicu
Level 1
Level 1

‎12-02-2004 10:11 AM

I tryed to open a bussines case to Cisco in order to make PKI authentication on concentrator identical with the one in routers for dial-up with PKI. No success by now. I will have a chat with PM for concetrator 2 weeks by now. Hope to convince him the current implementation is a crap

0 Helpful
Customers Also Viewed These Support Documents