cancel
Showing results for 
Search instead for 
Did you mean: 

Comparing variables from certificate with local or Win AD values

New Contributor

Comparing variables from certificate with local or Win AD values

Hi,

i am trying to use 2factor authentication for user access to a SSL VPN.

The two factors should be:

- user SSL certifcate

- userid/pw with local server or Win AD

One of the goals is to glue the certificate with the user credentials to make sure that a user only can login to the VPN with their own userid/pw but not for example with their own uid+pw and their collegues cert.

Let's assume the login name is firstname.lastname

The user presents the certificate, where the variable certAttr.altName.Emailid contains also firstname.lastname.

Now i tried to only use one Auth Server (Win AD) in this setup

and checked both at

Users -> Realm <NAME> -> Auth Policy -> Certificates

or

Users -> Realm <Name> -> Role Mapping -> Testrule

to do something like this:

if certAttr.altName.Emailid != <USERNAME> then reject.

but that does not work.

I suspect it is not possible to compare the contants of any arbitrary variables.

Does anyone have ideas on that?

thanks and regards

Udo

4 REPLIES 4
Super Contributor

Re: Comparing variables from certificate with local or Win AD values

I use a role-mapping rule with an expression -

user != certDn.serialNumber

to compare the entered username to the serial number in the Dn of the certificate. If the expression is true (that is, the cert does not match the entered username), I assign them to a role which tells them so, but gives them no privileges. Works for me.

Ken

Respected Contributor

Re: Comparing variables from certificate with local or Win AD values

As ken said, it should work. You need to use custom expressions to check against values; but it can be done. --> make sure you enable the realm option to retrieve the certificate (users>user realms>realmName>restrictions>certificate, use either the 2nd or 3rd option depending on your needs/desires)
In what way was it failing?
Super Contributor

Re: Comparing variables from certificate with local or Win AD values

One more thing -

I do not do certificate authentication. I do set certificate restrictions for the certificate to match the expected certificate model, and do the userid/password authentication (mine happens to be Siteminder acting as a Radius server). That works really well for me. I then do the comparison using the expression in my earlier post. This ensures that the certificate is installed, that it matches the user ID, and that the user has logged on with the correct password.

One more thing - policy tracing is a great tool. Turn on policy tracing for the ID you are testing, and ask to trace authentication and authentication events. You'll see the value of all of the interesting variables, and maybe figure out why your comparison is not working.

Good luck - it is possible!

Ken

New Contributor

Re: Comparing variables from certificate with local or Win AD values

Hi,

after some testing together with JTAC, i have now more insight and an solution, that i wanted to share with you. To make sure that we are talking about the same, i wanted to glue a userid/pw that should be sent to a Win AD to some valaues of a user cert. in order to make sure that for company ABC every employee has to use their own cert and userid+pw rather than any mix of the above.

insights:

- not all cert variables are available for comparisons at any stage.

Auth Policy:

- only the "main" attribute values from the DN text are available at the pre-signin level

(Users -> User Realm -> <NAME> -> Auth Policy -> Certificates -> Restrictions

- At the aforemention level you can only check for the content of a variable , like

O= ABC

- but comparing two arbitrary variable's values does not work.

User Role mapping:

- here the comparison of two arbitrary variable's does work in general.

- only a subset of variables can not be compared for whatever reason

(for example, given your WinAD login name is firstname.lastname@abc.com, then your
SA username would contain "firstname.lastname". The comparison of <certAttr.altName.Emailid>
!= <USERNAME> does not work, but here a explanation is missing why.

- another rolemapping rule of the kind of "if certIssuer.DN != "ABC User CA" then don't do a role map.

works just nicely at the rolemapping level.

Solution:

- create 2 auth servers:

- primary: local cert server

- 2ndary: Win AD, with userid field preset with <certAttr.altname.EmailID> and password to be
specified at login page.

Now this works, if the lefthand values of an users emailaddress does exist in the Win AD as a user

AND their password do match on the WinAD.

I do further checks on the rolemapping level:

"if <certIssuerDN.CN != "My Company User CA" then no role map

works quite nicely now.

Thanks for your answers, i appreciate them.