cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2090
Views
0
Helpful
8
Replies

3rd party Certificate and AAA Authentication

kennethgrande
Level 1
Level 1

I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.

In the connection profile i have set up that users should authenticate using both certificate and AAA.

Due to a high security requirement, the user certificate is issued from a 3rd party.

This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.

I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.

Problem:
If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.

I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.

So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.

I am happy for any help that could point me in the right direction on how to accomplish this.

Best regards,
Kenneth

8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Kenneth,

You're raising an interesting point.

In practice security risk is negligable (if I understand the scenario) Jane would have to compromise Joe's certificate AND RSA keys.

But I agree, if Joe left while his computer was not locked, Jane could authenticate herself.

What one can do (and is simpler, but requires some foresight) is to use username from certificate feature.

Where we derive username from certificate and require user to put only password.

"• Pre-fill username from certificate:  This security feature facilitates user login by pre-filling the  username in username/password authentication from a field of the user's  certificate."

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-526545.html

Other options coming to mind involve DAP (which I'm not a fan of but it does provide additional flexibility).

Marcin

Thank you for the fast reply Marcin

The security reqirements are based on govermental guidelines. The certificates are issued from a governmental approved CA that issues eID certificates to people in my country. Right now i have to use this CA to meet the requirements.

This means that i have no control over the certificate fields and the only unique thing i can use is the Serial Number (SER) field and some sort of mapping to the user object in my AD. If the serial number on the certificate matches the serial number registered on the user object, there are no doubt that the user is using the correct certificate.

If i should go with the pre-fill username option (i have thought of this too), i could use the SER field as username and give the users a matching username in AD. This is not a good solution as the users will have a username like this: 1234-5678-123456789.

I cannot use values like Common Name etc, as there will be more than one person in my country called "John Doe". The valued used from the certificate must be unique for the user or the requirements will not be met.

I turned on LDAP debugging while authenticating the user and i retrieve the value i want to check from the "department" field on the user object like this:

[69]    department: value = 1234-5678-123456789

[69]    name: value = Kenneth

I fiddled around with LDAP attribute mapping:

[76]    department: value = 1234-5678-123456789

[76]            mapped to DN-Field: value = 1234-5678-123456789

But i am not sure how i could use this during authenticaton.

I am hoping there is some way to check if the users "SER" value from the sertificate matches the user objects "department" value, and do something if it does and something else if it doesnt.

Again, thanks for your effort Marcin, i really appreciate it!

hmmmm, after some creative thinking i thought of the possibility to have multiple usernames on the user object.

The user object has a pre-windows 2000 logon name wich maps to the LDAP attribute sAMAccountName. I took the Serial Number value from the certificate and filled it into the user objects pre-windows 2000 username. I then changed the connection profile so it would pre-fill the username based on the certificates SER (serial name) value. I tried to log on the user and it works.

I am not sure if changing the sAMAccountName will affect other things in my environment, but for now it might look like this could be a work around. As far as i can see all requirements regarding security is met and the user will only be able to authenticate using the certificate from the national CA and a valid password for his account in our environment. With this in mind, there are no questions regarding Jane beeing Jane and John beeing John during authentication, as they only will be able to authenticated with the certificate that is issued and verified by the CA.

I would still prefer to solve this as described in my previous post and any suggestions on how this might be accomplished would be appreciated. For now i will consider this as a work around and not a solution.

Kenneth,

Not sure if DAP + CSD/hostscan could help here. You can do some matching in pre-login policies too based on certificate. In anyway I have not tested this, but if you have time to look around ...

For what it's worth the solution you mention with sAMAAccountName is an elegant and scalabale one not involving any additional functions - reduced complexity is always a plus.

Marcin

I actually got a better idea, and i think this will work great!

One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.

After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".

So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:

[123] LDAP Search:

        Base DN = [dc=Testlab,dc=local]

        Filter  = [department=xxxx-xxxx-xxxxxxxxx]

        Scope   = [SUBTREE]

[123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]

The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.

I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:

[138] LDAP Search:
        Base DN = [dc=Testlab,dc=local]
        Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
        Scope   = [SUBTREE]
[138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]

Worked like a charm!

I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.

Thank you for the input Marcin

Kenneth,

Out of curiosity, how is that field populated in LDAP/AD?

i.e. What happens if you need to revoke a cert and provide a new one to a user.

M.

The serialNumber attribute is part of the AD schema:

(more details here)

http://msdn.microsoft.com/en-us/library/windows/desktop/ms679771(v=vs.85).aspx

There will be no need to update the serialNumber attribute on the user if the certificate is revoked. The serialnumber is unique for the user and is not changed during the user lifecycle with the CA.

So, if the user certificate expires (or lost and revoked), the CRL check will fail and the user will be denied access. The user contacts the CA to get a new certificate, when she tries to log in with the new certificate, the CRL check will pass, the serial number hasn't changed and the user will be granted access.

K

K,

Gotcha, I mistook cert's serial for fileld in cert that is equal to serial in AD/LDAP ;-)

M.