Setting up the Cisco VPN3000 Concentrator for PKI Authentication

 

1.     Import your certificate authority’s root certificate(s) into the trusted store in the Cisco VPN.

1.1.  Acquire a PKCS #7 certificate chain from your CA.  At Dartmouth with Sun iPlanet’s CA server, this is in Advanced -> Retrieval -> Import CA Certificate Chain ->  Display the CA certificate chain in PKCS#7 for importing into a server -> Submit.

1.2.  Copy the PKCS #7 text into your paste buffer.  Dartmouth’s currently is:

 

-----BEGIN CERTIFICATE-----
MIIEEgYJKoZIhvcNAQcCoIIEAzCCA/8CAQExADAPBgkqhkiG9w0BBwGgAgQAoIID
4zCCA98wggLHoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixk
ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMx
GjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGgg
Q2VydEF1dGgxMB4XDTAzMDEwOTA1MDAwMFoXDTEzMDEwOTA1MDAwMFowdzETMBEG
CgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkG
A1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNE
YXJ0bW91dGggQ2VydEF1dGgxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA4N+iD9S5TiAm1z5SxHoiEa0I3CyG7uOc19G1Dz38HiJST4I406/KDgV5MyIY
kXDHQ4BPaO4iDroHMv2R1Z05YelvHmQ8LG5tKH1Y6yNrDJhDR+2a3uNx8PwH/zqR
ElPPuZg4pK4KMzlu/nU3Znjg/dQVZQAipipCuF+QBQ5qqCrQW7jNWW1Xc2qv3how
iTIZ4rfrK6ByUYORSBMIKMADXvOf4lXQfMUwXBJ8uH5udzzGcyzj7Pm5GTgi0yqB
88Ujex28nVZpDxiPH6Bzg/eQuj+ZqIh6lscYO5nb31OY923nUQNQIa66aD9VsIt1
t+qC1An50u1xJ7Tslvmt0RK+tQIDAQABo3YwdDARBglghkgBhvhCAQEEBAMCAAcw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUP8DWx6dPAH7vBplnbLyWHk2jdxIw
HwYDVR0jBBgwFoAUP8DWx6dPAH7vBplnbLyWHk2jdxIwDgYDVR0PAQH/BAQDAgGG
MA0GCSqGSIb3DQEBBQUAA4IBAQCoYpxiFn+s/OUpZXjp+tfBgrOEUyWLZXIeMWmt
YV/xn3GWoYd0Zg7gS684Jes++E2aGNxMvtGL1MYPGbFCC/eYxfVWfnnW+RPO7leh
len/UB8pCRUmu+MzeTnOZlH3qHhnpy5DR4fy/pu6J6zqHO4UTZmUWF3bTVOE5S+k
VHOUoyfKIF6pXY/TtHieiugFm7sK52pDoWTYNtGRfNX8f4rdw++gUnduJ8lQo8Ff
AqSsb5zN8X8K5T635dNR6wMrZxPcyD13X170rKiIl7Va4AN0N2xH6tSis+e/+FMj
tXQxHRXz1zMNciVhwIeUm2YJNxAsqAjiQNeFfXCddkt0Gm9cMQA=
-----END CERTIFICATE-----
 

1.3.  Log into the Cisco VPN administrative web.

1.4.  Go to “Administration | Certificate Management | Install | CA Certificate | Cut & Paste Text”.

1.5.  Paste the PKCS #7 text into the text box.

1.6.  Click Install.

1.7.  In “Administration | Certificate Management” verify that the root certificate installed properly in the Certificate Authorities section.  You can view the certificate to help verify it.

1.8.  Note: There is currently a bug in the Cisco VPN3000 that certificates with DC=  (e.g. DC=Dartmouth, DC=edu) in fields come up in the Cisco router as “Unknown”.  We are working to report this problem to Cisco.  As you will learn below, this limits some of the group matching capabilities, but otherwise appears to be harmless.

2.     Generate an identity certificate signed by your CA.

2.1.  Go to “Administration | Certificate Management | Enroll | Identity Certificate | PKCS10”.

2.2.  Fill out the fields.  Remember that this is identifying information about the VPN box itself (and its administrator).  Dartmouth uses 1024 bits for the key size.

2.3.  Click Enroll.  The VPN will pop up a new window with the PKCS certificate request text in it.  Here is an example:

 

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIB0jCCATsCAQAwbTENMAsGA1UEAxMEYXNkZjENMAsGA1UECxMEYWRzZjENMAsG
A1UEChMEYXNkZjENMAsGA1UEBxMEYXNkZjENMAsGA1UECBMEYXNkZjELMAkGA1UE
BhMCYXMxEzARBgkqhkiG9w0BCQETBGFzZGYwgZwwDQYJKoZIhvcNAQEBBQADgYoA
MIGGAoGAWhpIDEkt7OPW5bLiFkzUyY5ZEp5iy4MENxKKA3h7khX3/wgZEmdi88N9
Dmr17rRQktxpHwJZSQwKn1mI+t4JpZG0WDGm83OVkjoSN17iLXcWgbd6Lt5qme/7
iXvChwSbN2NzOfFj7HAgKBwhaW8kJJ4CTGR/WvIEfhsumeLtxncCAQWgKDAmBgkq
hkiG9w0BCQ4xGTAXMBUGA1UdEQQOMAyCBGFzZGaBBGFzZGYwDQYJKoZIhvcNAQEE
BQADgYEAQgJA6eGck75bSz3ZC8pI5axhUJYyE24hDBmOeU7neera+YP/YaasZxDD
UVmwYqCpc5fYzzok2VVgJODna51DzrZ2DEhWkOQhYHtDRuGQnikNbGzFzhZWHB5p
QAuclZLgOEtVxSFguMZ9Dn3eHzvu30TFsaZJm9ufRqZpjZcNjgQ=
-----END NEW CERTIFICATE REQUEST-----

 

2.4.  Copy this PKCS #10 text into your paste buffer.

2.5.  Go to the server identity certificate enrollment facility in your CA.  At Dartmouth, this is “Advanced -> Enrollment -> SSL Server”.

2.6.  Paste your PKCS #10 request into the appropriate window.

2.7.  Complete the rest of the form and click Submit.  At Dartmouth, this causes the CA to issue a request identifier (remember this number).

2.8.  Dartmouth requires approval by the CA administrator before the CA can generate the requested certificate.  Once it is approved, you can retrieve the certificate using your request identifier).

2.9.  Go to the certificate retrieval feature of your CA and get the certificate.  At Dartmouth this is “Advanced -> Retrieval -> Check Retrieval Status”.  Enter your request identifier and click Submit.  We used the resulting PKCS #7 certificate chain in base64 (another copy and paste text certificate transfer).

2.10.                 In the Cisco administration tool, go to “Administration | Certificate Management | Install certificate obtained via enrollment”.

2.11.                 You should see the Enrollment Status entry for your “In Progress” enrollment.

2.12.                 Click Install, choose Cut and Paste Text.

2.13.                 Paste in your PKCS #7 text and click Install.

2.14.                 In “Administration | Certificate Management” verify that the identity certificate installed properly in the Identity Certificates section.  You can view the certificate to help verify it.

3.     Create an IPSec SA policy for certificate authentication users.

3.1.  In the Cisco VPN management tool, go to “

3.2.  Configuration | Policy Management | Traffic Management | Security Associations”.

3.3.  Add a new IPSec SA.

3.4.  Configure the SA.  At Dartmouth, we started with the values we used in an SA that we had already configured for Radius authenticated logins.

3.5.  Select your VPN identity certificate to use with this SA.  At Dartmouth, we also chose the “Identity Certificate Only” feature because we expect Dartmouth clients to have the Dartmouth CA in their trusted root store and we have no intermediate certificates in the chain.

3.6.  Name your SA to indicate that it is for use with certificate authentication.

3.7.  Click Add.

4.     Create a group in the VPN appliance for certificate authentication users.

4.1.  In the Cisco VPN admin tool, go to “Configuration | User Management | Groups | Add”.

4.2.  Add a new group named for certificate users.  Again, at Dartmouth we copied one that was for Radius authentication and modified it for certificate purposes.

4.3.  In  the IPSec configuration section, set the following:

4.3.1.     IPSec SA = the SA you created for certificate authentication.

4.3.2.     IKE Peer Identity Validation = Do not check.

4.3.3.     Authentication = none.  (Authentication is accomplished using certificates.)

4.3.4.     Save your new group.

5.     Establish a certificate group matching policy.

5.1.  In the Cisco VPN admin tool, go to “Configuration | Policy Management | Certificate Group Matching | Policy”.

5.2.  Choose the policy you wish to use.  The Cisco DC= bug mentioned above is currently preventing us from doing group matching based on fields in the certificate (e.g. O=”Dartmouth College”).  So we chose “Default to Group” and selected our certificate authentication users group.

5.3.  Click Apply.

6.     Establish certificate group matching rules (optional depending on policy).

6.1.  In the Cisco VPN admin tool, go to “Configuration | Policy Management | Certificate Group Matching | Rules”.

6.2.  Use the Cisco facilities to construct the rules you want to match fields in the user certificate (they can get pretty fancy if you want).  For each rule, assign the appropriate group that matching users should be put into.  At Dartmouth, we currently have just one group.

6.3.  Save your rules.  If you specified to use ruled-based matching in the previous policy step, these will now be applied in order to each certificate during the authentication process to see what group users fall into.  If they match no group, then authentication will fail.  You can configure different groups to treat different types of users differently (e.g. OU=”Admin” get assigned a different subnet).

7.     Test certificate authentication.

7.1.  Start the Cisco VPN dialer.

7.2.  Create a new profile that specifies certificate authentication and choose a certificate issued by your CA (the same one that signed the identity certificate that you created above).

7.3.  Connect using the certificate profile.

7.4.  If you have troubles connecting, you may find the logging facility in the Cisco VPN admin tool useful: “Monitoring | Live Event Log”.

8.     Implement Certificate Revocation Lists (CRLs) (optional).