Hi,
i am trying to use 2factor authentication for user access to a SSL VPN.
The two factors should be:
- user SSL certifcate
- userid/pw with local server or Win AD
One of the goals is to glue the certificate with the user credentials to make sure that a user only can login to the VPN with their own userid/pw but not for example with their own uid+pw and their collegues cert.
Let's assume the login name is firstname.lastname
The user presents the certificate, where the variable certAttr.altName.Emailid contains also firstname.lastname.
Now i tried to only use one Auth Server (Win AD) in this setup
and checked both at
Users -> Realm <NAME> -> Auth Policy -> Certificates
or
Users -> Realm <Name> -> Role Mapping -> Testrule
to do something like this:
if certAttr.altName.Emailid != <USERNAME> then reject.
but that does not work.
I suspect it is not possible to compare the contants of any arbitrary variables.
Does anyone have ideas on that?
thanks and regards
Udo
I use a role-mapping rule with an expression -
user != certDn.serialNumber
to compare the entered username to the serial number in the Dn of the certificate. If the expression is true (that is, the cert does not match the entered username), I assign them to a role which tells them so, but gives them no privileges. Works for me.
Ken
One more thing -
I do not do certificate authentication. I do set certificate restrictions for the certificate to match the expected certificate model, and do the userid/password authentication (mine happens to be Siteminder acting as a Radius server). That works really well for me. I then do the comparison using the expression in my earlier post. This ensures that the certificate is installed, that it matches the user ID, and that the user has logged on with the correct password.
One more thing - policy tracing is a great tool. Turn on policy tracing for the ID you are testing, and ask to trace authentication and authentication events. You'll see the value of all of the interesting variables, and maybe figure out why your comparison is not working.
Good luck - it is possible!
Ken
Hi,
after some testing together with JTAC, i have now more insight and an solution, that i wanted to share with you. To make sure that we are talking about the same, i wanted to glue a userid/pw that should be sent to a Win AD to some valaues of a user cert. in order to make sure that for company ABC every employee has to use their own cert and userid+pw rather than any mix of the above.
insights:
- not all cert variables are available for comparisons at any stage.
Auth Policy:
- only the "main" attribute values from the DN text are available at the pre-signin level
(Users -> User Realm -> <NAME> -> Auth Policy -> Certificates -> Restrictions
- At the aforemention level you can only check for the content of a variable , like
O= ABC
- but comparing two arbitrary variable's values does not work.
User Role mapping:
- here the comparison of two arbitrary variable's does work in general.
- only a subset of variables can not be compared for whatever reason
(for example, given your WinAD login name is firstname.lastname@abc.com, then your
SA username would contain "firstname.lastname". The comparison of <certAttr.altName.Emailid>
!= <USERNAME> does not work, but here a explanation is missing why.
- another rolemapping rule of the kind of "if certIssuer.DN != "ABC User CA" then don't do a role map.
works just nicely at the rolemapping level.
Solution:
- create 2 auth servers:
- primary: local cert server
- 2ndary: Win AD, with userid field preset with <certAttr.altname.EmailID> and password to be
specified at login page.
Now this works, if the lefthand values of an users emailaddress does exist in the Win AD as a user
AND their password do match on the WinAD.
I do further checks on the rolemapping level:
"if <certIssuerDN.CN != "My Company User CA" then no role map
works quite nicely now.
Thanks for your answers, i appreciate them.