Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1487
Views
0
Helpful
5
Replies

ssl vpn certificate

elite2010
Level 3
Level 3

‎11-28-2017 09:19 AM - edited ‎03-12-2019 04:46 AM

Hi,

I am using SSL anyconnect vpn . ISE is the authentication server .
Domain users are authenticated based on the security group . And 2FA enabled using an OTP service as second factor

Now I want to remove the 2FA and add certificate as second factor .

As I understand I have to create certificate for the users .

The FQDN of the user is "user1@test.local '

I am facing some issues with Microsoft CA .

So I decided to put Openssl CA ,

So when I create certificate for the user , What are the information must be provided ,Do i need to add the key also to the workstation

Thanks

 

Labels:
0 Helpful
5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

‎11-29-2017 04:05 AM

Users only needs a valid certificate from the CA server.

No need to install root certificate on the user device, but should be installed on the ASA in order to properly validate the certificate of the clients.

Common name for the user certificate can be any unique name, but you probably want something that can identify the client using the certificate.

0 Helpful

elite2010
Level 3
Level 3
In response to Bogdan Nita

‎11-29-2017 02:00 PM

Hi,
Why do we dont need to install the root on the ca ,Is it because the client is the one who is presenting its certificate to the ASA ?
If the username is 'user1@test.local' ,What could be the CN of the certificate

Thanks
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-29-2017 07:28 AM

I believe if the user/workstation is presenting a certificate for authentication they must also have the private key for their own certificate.

 

You can also issue certificates from ISE as a CA. Most common though is to use Microsoft CA. There are several how-to tutorials online covering how to do that.

0 Helpful

elite2010
Level 3
Level 3
In response to Marvin Rhoads

‎11-29-2017 09:57 AM

Hi,
Is there any document about CA in ISE ? .
Let's say certificate installed on the client .
User trying to connect vpn ,
How the validation process works
Thanks
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to elite2010

‎11-29-2017 06:04 PM

ISE needs to trust the CA issuing the certificates to the clients. Usually that is done by ensuring that a copy of the CA's root certificate is installed on ISE and trusted.

 

Once that is in place, a Certificate Authentication Profile needs to be in place to instruct ISE which field (typically CN) to use in the presented certificate to identify / authenticate the user.

 

There are several resources specific to certificate authentication in ISE. One good overview article is here:

 

https://www.networkworld.com/article/2226498/infrastructure-management/simply-put-how-does-certificate-based-authentication-work.html

 

Details on how an ASA interacts with client authentication and ISE can be found here:

 

https://communities.cisco.com/docs/DOC-68158

0 Helpful
Customers Also Viewed These Support Documents