Using client certificates with Cisco VPN 3xxx concentrator

pts.
Tags:
Biometrics
Cisco
Digital certificates
Identity & Access Management
provisioning
Security tokens
Single sign-on
I am specifically looking for a way to match Windows loging credentials with a user certificate and then transparently submit to Active Directory for authentication. It seems that the Cisco VPN client first checks the validity of the certificate (without matching the Windows credentials) then prompts the user for Active Directory login information. (Even if those don't match those on the certificate.) We are using Microsoft CA for certificates with Cisco VPN 3000 concentrators and Cisco VPN client (4.6) - We are interested in organizations that have integrated the Windows login credentials with the user certificate to provide a transparent and secure remote access experience. We use a combination of Windows XP Pro and Windows 2000 clients. Thanks for any info.

Answer Wiki

Thanks. We'll let you know when a new response is added.

You need 2003 Enterprise Edition and you can then autoenroll certificates so users and computers automatically pick up a certificate from your CA via the Active Directory (on 2003 EE). Just copy the template but check the autoenrollment box.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Stuberman
    Thanks - we are working on the auto enrollment process and will probably use AD 2003. The question I have is around the use of the Cisco (or other) VPN client to connect without prompting the user for an ID and password AND to check that the certificate name matches the domain authentication.
    0 pointsBadges:
    report
  • Cptrelentless
    With VPN authentication you need a machine certificate to connect, rather than a user certificate. So I don't think you can tie the credentials to the certificate. As I understand it you get the 'this machine is allowed to connect via IPSEC to us' bit, then you get the 'ok, who are you?' bit. The certificate is required to encrypt the user credentials transmission. Have you tried loading the certificate into your user account? If you logged on as a user using the 'log on via dial-up' option you'd only have to log on to the machine once and it should (in theory) connect you via the VPN connection.
    0 pointsBadges:
    report
  • Stuberman
    We are using a user certificate not a machine certificate which is the design of the Cisco VPN client. When you run the Cisco client software it sends the certificate information to the Cisco 3000 headend and checks the validity of the certificate (chained properly to the root and against CRL). However the certificate is not matched against the PC's logon credentials nor does it check against AD. After the certificate is checked then there is a separate authentication check against AD using the information that a user supplies in a windows dialog box (ID and password). So the issue is that I can present my certificate (if valid) and then login using someone else's ID and password. It seems like Cisco should use the Windows integrated login for passing the user credentials along with the certificate - or that there is some third party application that does this.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following