We've been using RSA tokens for authentication to our SSL VPN system. Recent interest in iPhones and Junos Pulse is leading us in the direction of using certificates for more seamless authentication.
I'd appreciate the benefit of others experience. I understand I can stand up a certificate server on the SA box itself. How manageable is it? Alternatively, could we use our Active Directory CA to generate certs for the client devices? If yes, are there some guides I can follow? I haven't been able to find sufficient information in the Juniper knowledgeablenes or admin guides.
If you are interested in certificate based authentication I would take a serious look at the following site:
They have an awesome product and it is in my top 3 recommended solutions for two factor authentication when I outline solutions to potential clients.
Is there a guide I can following for using a WIndows CA with the SSL VPN system? I assume I have to import our AD CA cert into the Juniper box.
The idea for using one cert with a password seems like it would be a time saver, but I'm not sure our Infosec group would go for it.
I dont think you can create certificates for clients directly on IVE.
You can use Windows Server CA easily.
You could use ONE certificate for all users in addition to usercredential.
You can use this certificate on realm level for autorization via rolemapping.
When you want the cert to be valid for more then 2 years, use windows server enterprise edition.
You have to confgure validation in registry. I use 5 years cause i dont want to enroll certificates to thousands of users.
Of cause one certificate for ALL users does not make much sense from a normal point of view. :-)
The certificate in my scenario does NOT authenticate the user.
The user authenticates with his AD credentials.
In the background, the client browser transmits the clientcertificate to IVE.
The IVE uses the clientcertificate to authenticate the CLIENTDEVICE as trusted company device.
Via certificate attribute "CN" you can assign the authenticated user the proper IVE Role.