Hi everyone! We have implemented certificate authentication with Juniper SA 6500 and it's working fine. Smart cards are used for authentication.
It appears that any kind of client authentication certificate can be used for logging in, provided that it is signed by the Trusted Client CA defined in the certificate settings. This is actually natural because nothing in the configuration is smart card specific.
Now we want to limit the authentication only for certificates that have "Smart Card Logon (220.127.116.11.4.1.318.104.22.168)" in the Enhanced Key Usage field (EKU, or Extended Key Usage, whichever is the official term).
According to our local Juniper vendor it is not possible to use EKU in the realm authentication policy settings to restrict the access. Also, in the troubleshooting trace output there are no EKU fields mentioned. In the shown certificate fields there are nothing that could be used to differentiate the smart card certificate from ther certificates that are present.
Is it really so that we cannot limit the authentication to smart cards only?
This is an existing customer CA environment with thousands of smart cards and other certificates deployed so it is not an easy task to change intermediate Cas for example.
Running software version 7.2R4 at the moment.
Thanks for any hints on this.
Situation update: The local vendor opened a case with JTAC and this functionality is really not supported at the moment. An Enhancement Request will hopefully be submitted to get this implemented.
Is there any attribute within the Distiguished Name field that is different for smart card certificates only? If there is a specific OU, you can set a certificate restriction to only allow certificate with a specific OU. However, the statement above still applies as the SA device does not search for any other attributes outside of the DN field. Please file an enhancement request with your Juniper account team if you fall under this scenario.
Hi! There is no new information available on this enhancement at the moment. I personally have discarded that as the solution and went with some other way for now.
The matching capabilities in the certificate fields are surprisingly limited.
Pleas try with the following options on SA and then check the status.
Configure the required policies under the Advanced certificate processing settings on the Trusted client CA certificates on SSL VPN device
If we specify the required policies, then only the user certificate which has these policies should be able to authenticate against SA device.
Waiting for your reply after testing the same.....
Hi, to be clear, on which page do you suggest the settings to be configured? Do you mean some global setting, or the realm-specific Certificate page under Authentication Policy?
If you mean the latter, it was already tried: it is not possible to match the necessary fields. That is the exact problem.
We need to set the polices on the below location on SSL VPN device.
System > configuration > Certificates > Trusted client CA certificate> select the required CA certificates > Advanced certificate processing requests > Initial policy set > create a new policy based on the required field available on the client certificates.
Hope the above information helps you.....