cancel
Showing results for 
Search instead for 
Did you mean: 

question about client certificate attributes

Highlighted
New Contributor

question about client certificate attributes

Hello all

I have a question in configuring the SA to check client certificates attributes.

Our intention is it to provide a ActiveSync access for our customers to sync their mobile devices (e.g. Apple iOS, Android) with our internal Microsoft Exchange 2007 server. For that we added a virtual port on our external interface and enabled the client certificate requirement for this port. Then we configured a virtual hostname (passthrough proxy) which forwards the traffic to target URL (Exchange-server). This setup works perfectly with certificates of our Trusted Client CA.

Now the question:

Is it possible to filter a special attribute of the certificate? More precisely I mean the certificate template informationÓ extension ("Template=WirelessUsers(1.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.2880170.14957459)_") and/or the enhanced key usageÓ extension (e.g. Client Authentication (1.3.6.1.5.5.7.3.2)Ó

or custom value WirelessUsers (1.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.10766458.11704646)_Ó)

I did some tests with role option restrictions for certificates... e.g. CN = <user>Ó works perfectly, but I canÕt find any information about these special attributes.

It would be great if someone could help me :-)

Thank you!

Mirko

_

4 REPLIES 4
Highlighted
New Contributor

Betreff: question about client certificate attributes

Hi all,

I did some other tests with Client Cert validation:

Configuration > Trusted Client CA > [root-ca] > Advanced Certificate Processing Settings

Enabled the Initial Require Explicit PolicyÓ and set the required value of the affected template:

I tried with our specific value (see below) but it doesnÕt work.

1.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.10766458.11704646

Standard value 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth) doesnÕt work, too.

Tcpdump on the external port tells me that the client sends the correct certificate

[É]

Extension (id-ce-extKeyUsage)

Extension Id: 2.5.29.37 (id-ce-extKeyUsage)

KeyPurposeIDs: 2 items

KeyPurposeId: 1.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.10766458.11704646 (iso.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.10766458.11704646)

KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)

Extension (id-ms-application-certificate-policies)

Extension Id: 1.3.6.1.4.1.311.21.10 (id-ms-application-certificate-policies)

CertificatePoliciesSyntax: 2 items

PolicyInformation

policyIdentifier: 1.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.10766458.11704646 (iso.3.6.1.4.1.311.21.8.12249325.11114837.14369456.6622982.4790504.72.10766458.11704646)

PolicyInformation

policyIdentifier: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)

[É]


I send a request from my client to this port and send the right certificate but authentications fails. There is no log entry with any error description._ Smiley Sad

Reply from SAÕs external port:

Secure Socket Layer

TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)

Content Type: Alert (21)

Version: TLS 1.0 (0x0301)

Length: 2

Alert Message

Level: Fatal (2)

Description: Certificate Unknown (46)

Does anyone have any idea or experience with this feature?

Regards,

Mirko

_

Highlighted
Contributor

Betreff: question about client certificate attributes

Did you ever get a solution for this?

 

We're looking to do something similar for our Ipad users (junos pulse), but at the moment it's set to "any certificate from a trusted CA" - we want to allow certificates using the CA's custom ipad template, but deny everything else

 

cheers

Mike

Highlighted
Frequent Contributor

Betreff: question about client certificate attributes

even if you could figure out a way to get the custom attr, where wuold you put it. Need a auth server to hold them. The pass though proxy is relying on your LDAP server not Juniper.

Highlighted
Respected Contributor

Re: question about client certificate attributes

No, you cannot use the custom attributes from the certificates