cancel
Showing results for 
Search instead for 
Did you mean: 

Using only smart card certificates for login

Highlighted
Occasional Contributor

Using only smart card certificates for login

Hi everyone! We have implemented certificate authentication with Juniper SA 6500 and it's working fine. Smart cards are used for authentication.

 

It appears that any kind of client authentication certificate can be used for logging in, provided that it is signed by the Trusted Client CA defined in the certificate settings. This is actually natural because nothing in the configuration is smart card specific.

 

Now we want to limit the authentication only for certificates that have "Smart Card Logon (1.3.6.1.4.1.311.20.2.2)" in the Enhanced Key Usage field (EKU, or Extended Key Usage, whichever is the official term).

 

According to our local Juniper vendor it is not possible to use EKU in the realm authentication policy settings to restrict the access. Also, in the troubleshooting trace output there are no EKU fields mentioned. In the shown certificate fields there are nothing that could be used to differentiate the smart card certificate from —ther certificates that are present.

 

Is it really so that we cannot limit the authentication to smart cards only?

 

This is an existing customer CA environment with thousands of smart cards and other certificates deployed so it is not an easy task to change intermediate Cas for example.

 

Running software version 7.2R4 at the moment.

 

Thanks for any hints on this.

7 REPLIES 7
Highlighted
Occasional Contributor

Re: Using only smart card certificates for login

Situation update: The local vendor opened a case with JTAC and this functionality is really not supported at the moment. An Enhancement Request will hopefully be submitted to get this implemented.

 

Markku

 

Highlighted
New Contributor

Re: Using only smart card certificates for login

Any news on this? (I'm struggling with similar issue)

 

Br,

 

Seppo

Highlighted
Valued Contributor

Re: Using only smart card certificates for login

SR,

 

Is there any attribute within the Distiguished Name field that is different for smart card certificates only?  If there is a specific OU, you can set a certificate restriction to only allow certificate with a specific OU.  However, the statement above still applies as the SA device does not search for any other attributes outside of the DN field.  Please file an enhancement request with your Juniper account team if you fall under this scenario.

Highlighted
Occasional Contributor

Re: Using only smart card certificates for login

Hi! There is no new information available on this enhancement at the moment. I personally have discarded that as the solution and went with some other way for now.

 

The matching capabilities in the certificate fields are surprisingly limited.

 

Markku

 

Highlighted
New Contributor

Re: Using only smart card certificates for login

Hi All,

 

Pleas try with the following options on SA and then check the status.

 

Configure the required policies under the Advanced certificate processing settings on the Trusted client CA certificates on SSL VPN device 

 

If we specify the required policies, then only the user certificate which has these policies should be able to authenticate against SA device.

 

Waiting for your reply after testing the same.....Smiley Happy

Highlighted
Occasional Contributor

Re: Using only smart card certificates for login

Hi, to be clear, on which page do you suggest the settings to be configured? Do you mean some global setting, or the realm-specific Certificate page under Authentication Policy?

 

If you mean the latter, it was already tried: it is not possible to match the necessary fields. That is the exact problem.

 

Markku

 

Highlighted
New Contributor

Re: Using only smart card certificates for login

 

We need to set the polices on the below location on SSL VPN device.

 

 

System > configuration > Certificates > Trusted client CA certificate> select the required CA certificates > Advanced certificate processing requests > Initial policy set > create a new policy based on the required field available on the client certificates.

 

Hope the above information helps you.....