cancel
Showing results for 
Search instead for 
Did you mean: 

authenticate users with their certificate only

Highlighted
Occasional Contributor

authenticate users with their certificate only

Hi all,

how can i authenticate users with their certificate only - one auth server which is the CA.



5 REPLIES 5
Highlighted
Valued Contributor

Re: authenticate users with their certificate only

You would need to load a cert from the server into the SSL box and then onto the user PC's. I have a pretty simple document that I wrote for our engineers so that they could practice doing this using WinK3 cert manager. Send me your email and I will send you a copy. 



Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
Not applicable

Re: authenticate users with their certificate only

Kevin- would you be able to send me that doc?  thanks

Highlighted
Contributor

Re: authenticate users with their certificate only

You need a Root CA (PKI) to produce Client Certificate(s).

Install Client Cert on Notebook of the User.

Install Root CA Certificate on Notebook of the User.

Install Root CA Certficate under "Trusted Client Root CA" on IVE

Configure on IVE Auth.Server... Certificateserver.

Configure on IVE Realm which uses this Certificateserver for Auth.

Configure on IVE Roleapping Rules on Real Level when Certattribute CN is * then assign role VPN User.

Thats the whole rap.

The only problem or most of the support may be enrollement of clientcertificates and renewing certificates after they expire. Otherwise this is a very nice method as it does not need users interaction, and its very safe.

You can also enforce that the vpn end devices must be corporate client devices, marked with a clientcertificate.


Highlighted
Not applicable

Re: authenticate users with their certificate only

I need a pretty simple document that practice doing this using WinK3 cert manager, My Email Address is xufu@nissin.com.cn

 

Thanks a lots

Highlighted
Contributor

Re: authenticate users with their certificate only

Spacyfreak gave you some good ideas about the whole stuff.

 

First of all we assume, the workstations have a valid USER cert.

(we are not talking about machine certs here - that would be covered by host-checker)

 

- create a new auth server as a certificate server

User Name Template: is the only stuff that is important here...

 

f.e. <certAttr.altName.UPN> for User principal name

 

- go to configuration -> Certificates -> Trusted Client CAs

Import Root and maybe also intermediate CA certificate

 

- create a new realm

User the certificate server auth server entry for authentication

 

Go to authentication policy certificate and select "Only allow user with a client-side certificate signed by Trusted Client CAs to sign in...)

 

That's it ...

Rolemapping

* -> to Role

 

Everybody with valid user cert will be able to logon.

 

Ate