How To Machine Certificaten Ssl Uacv1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View How To Machine Certificaten Ssl Uacv1 as PDF for free.
More details
- Words: 1,030
- Pages: 13
Machine certification
Prepared for: Securelink Draaiboomstraat 6 2160 Wommelgem
Prepared by: Wim De Smet Version 1.0 Monday, 07 April 2008
Table of Contents MACHINE CERTIFICATES
3
Create certificate at AD
3
Config UAC/SSL for Machine certf Import Root CA cert Configure CRL Configure Host Checker for Machine authentication Attach host check to realm/role
4 4 5 6 6
Configure OAC client OAC user authentication
8 8
Logging Succesfull login Failed login
SecureLink NV
10 10 11
CUSTOMER
Page 2 of 13
Machine certificates We will create machine certificates for the domain workstations. Later we will be able to use these to do machine authentication via SSL/UAC.
Create certificate at AD 1. Open Active Directory Users and Computers. 2. In the console tree, double-click Active Directory Users and Computers, rightclick the domain name in which your CA lives, and then click Properties. 3. On the Group Policy tab, click Default Domain Policy, and then click Edit. 4. In the console tree, right-click Automatic Certificate Request Settings, point to (ew, and then click Automatic Certificate Request.
Where? •Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Automatic Certificate Request Settings
SecureLink NV
CUSTOMER
Page 3 of 13
5. When the Automatic Certificate Request wizard appears, click (ext. 6. In Certificate templates, click Computer, and then click (ext. Your enterprise root CA appears on the list. 7. Click the CA, click (ext, and then click Finish. 8. To create a computer certificate for the CA computer, type the following at the command prompt: gpupdate /target:Computer
Config UAC/SSL for Machine certf Import Root CA cert Before we can begin we need to import the root CA certf in the trusted client CA.
SecureLink NV
CUSTOMER
Page 4 of 13
Configure CRL Here we import the root CA certificate, so we can configure the OSCP/CRL settings. For this setup we have chosen to use CRL checking only. This means we need to fill in the URL where he can download the CRL list from. Microsoft CA server will publish this CRL on following URL: http://mailsrv1.securelink.local/CertEnroll/SecureLink CA.crl Now you will see how big the CRL is and how many revocation certificates there are.
SecureLink NV
CUSTOMER
Page 5 of 13
Configure Host Checker for Machine authentication At the host Checker settings we will create a new policy, this policy will include a new rule (machine Certificate rule). Now we will be able to enable this host check policy on the correct realm, so that we can do machine authentication based on
certificates.
Attach host check to realm/role You have 2 time periods where you can check the compliancy of the host. First time is before the assignment of the ip (in the EAP-JUAC tunnel (when done with UAC and 802.1X). The second time is when the user passed the authentication and has given an ip address. Now the check will be done every given time (you can configure this), if this check fails the connection will be broken.
SecureLink NV
CUSTOMER
Page 6 of 13
At above screenshot you see that we evaluate and require/enforce this host checker for
this policy. When you look at the screenshot below, you will see that we recheck the host check every 5 min.
SecureLink NV
CUSTOMER
Page 7 of 13
When all this is done, we have user authentication with a certification check. This means that we not only check if this is a know user, but that also the machine must be known. Now we have to configure the 802.1X supplicant.
Configure OAC client Here we will discus the configuration of the OAC client for user authentication and certification check. This setup is straitforward because the certification part is done on the IC like explained above. At the client side we only need to configure the 802.1X part
OAC user authentication We will use our Microsoft credentials for authentication, if wanted you can also use a other username and password if needed.
Profile
We made a machine_certf profile which uses Microsoft credential for authentication. If we go deeper into the methods we use, you will see that for authentication we use EAP-TTLS, this makes it possible to do the host check before the ip assignment. EAP-TTLS uses the EAP-JUAC has inner authentication protocol (this protocol is made by juniper), in this protocol we have the possiblility to do the host check. (Pre authentication host check)
SecureLink NV
CUSTOMER
Page 8 of 13
This profile will be attached to the Ethernet adapter.
SecureLink NV
CUSTOMER
Page 9 of 13
Adapter config
Here we see that the compliancy check is succesfull and that I meet the security policies.
Logging We can look at the logging of the Infranet Controller to see if authentication and certificate check works.
Succesfull login 2007-11-07 15:54:22 - ic - [192.168.100.55] securelink\wdesmet(Test8021X_Realm)[8021X role] - Connected to 192.168.100.550:agentman port 0
SecureLink NV
CUSTOMER
Page 10 of 13
2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[8021X role] - User assigned to vlan (Tunnel-Medium-Type='802' Tunnel-Type='13' TunnelPrivate-Group-ID='1') 2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[8021X role] - Agent login succeeded for securelink\wdesmet/Test8021X_Realm from 00-17A4-D6-A2-52. 2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[] - Host Checker policy 'Certf_check' passed on host using 802.1X authentication for user 'securelink\wdesmet'. 2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[] Primary authentication successful for securelink\wdesmet/SecureLink_AD from 0017-A4-D6-A2-52 You can cleary see that the Machine certificate check Is done before ip assignment!
Failed login 2007-11-07 15:46:50 - ic - [0.0.0.0] SECURELINK\wdesmet(Test8021X_Realm)[] Login failed. Reason: NoRoles 2007-11-07 15:46:50 - ic - [0.0.0.0] SECURELINK\wdesmet(Test8021X_Realm)[] Login failed from 00-17-A4-D6-A2-52 for SECURELINK\wdesmet/Test8021X_Realm. All roles restricted. 2007-11-07 15:46:50 - ic - [0.0.0.0] wdesmet(Test8021X_Realm)[] - Host Checker policy 'Certf_check' failed on host using 802.1X authentication for user 'wdesmet'. Reason: '"Machine certificate has been revoked"'.
SecureLink NV
CUSTOMER
Page 11 of 13
2007-11-07 15:46:50 - ic - [0.0.0.0] SECURELINK\wdesmet(Test8021X_Realm)[] Primary authentication successful for SECURELINK\wdesmet/SecureLink_AD from 00-17-A4-D6-A2-52
You can now see that I don’t have access anymore, and the client tell’s me that I failed one or more security policy’s. If I want to know why I can click on the link to see why:
SecureLink NV
CUSTOMER
Page 12 of 13
Here we see the reason of the disconnect => Machine Certificate has been revoked!!
SecureLink NV
CUSTOMER
Page 13 of 13
Prepared for: Securelink Draaiboomstraat 6 2160 Wommelgem
Prepared by: Wim De Smet Version 1.0 Monday, 07 April 2008
Table of Contents MACHINE CERTIFICATES
3
Create certificate at AD
3
Config UAC/SSL for Machine certf Import Root CA cert Configure CRL Configure Host Checker for Machine authentication Attach host check to realm/role
4 4 5 6 6
Configure OAC client OAC user authentication
8 8
Logging Succesfull login Failed login
SecureLink NV
10 10 11
CUSTOMER
Page 2 of 13
Machine certificates We will create machine certificates for the domain workstations. Later we will be able to use these to do machine authentication via SSL/UAC.
Create certificate at AD 1. Open Active Directory Users and Computers. 2. In the console tree, double-click Active Directory Users and Computers, rightclick the domain name in which your CA lives, and then click Properties. 3. On the Group Policy tab, click Default Domain Policy, and then click Edit. 4. In the console tree, right-click Automatic Certificate Request Settings, point to (ew, and then click Automatic Certificate Request.
Where? •Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Automatic Certificate Request Settings
SecureLink NV
CUSTOMER
Page 3 of 13
5. When the Automatic Certificate Request wizard appears, click (ext. 6. In Certificate templates, click Computer, and then click (ext. Your enterprise root CA appears on the list. 7. Click the CA, click (ext, and then click Finish. 8. To create a computer certificate for the CA computer, type the following at the command prompt: gpupdate /target:Computer
Config UAC/SSL for Machine certf Import Root CA cert Before we can begin we need to import the root CA certf in the trusted client CA.
SecureLink NV
CUSTOMER
Page 4 of 13
Configure CRL Here we import the root CA certificate, so we can configure the OSCP/CRL settings. For this setup we have chosen to use CRL checking only. This means we need to fill in the URL where he can download the CRL list from. Microsoft CA server will publish this CRL on following URL: http://mailsrv1.securelink.local/CertEnroll/SecureLink CA.crl Now you will see how big the CRL is and how many revocation certificates there are.
SecureLink NV
CUSTOMER
Page 5 of 13
Configure Host Checker for Machine authentication At the host Checker settings we will create a new policy, this policy will include a new rule (machine Certificate rule). Now we will be able to enable this host check policy on the correct realm, so that we can do machine authentication based on
certificates.
Attach host check to realm/role You have 2 time periods where you can check the compliancy of the host. First time is before the assignment of the ip (in the EAP-JUAC tunnel (when done with UAC and 802.1X). The second time is when the user passed the authentication and has given an ip address. Now the check will be done every given time (you can configure this), if this check fails the connection will be broken.
SecureLink NV
CUSTOMER
Page 6 of 13
At above screenshot you see that we evaluate and require/enforce this host checker for
this policy. When you look at the screenshot below, you will see that we recheck the host check every 5 min.
SecureLink NV
CUSTOMER
Page 7 of 13
When all this is done, we have user authentication with a certification check. This means that we not only check if this is a know user, but that also the machine must be known. Now we have to configure the 802.1X supplicant.
Configure OAC client Here we will discus the configuration of the OAC client for user authentication and certification check. This setup is straitforward because the certification part is done on the IC like explained above. At the client side we only need to configure the 802.1X part
OAC user authentication We will use our Microsoft credentials for authentication, if wanted you can also use a other username and password if needed.
Profile
We made a machine_certf profile which uses Microsoft credential for authentication. If we go deeper into the methods we use, you will see that for authentication we use EAP-TTLS, this makes it possible to do the host check before the ip assignment. EAP-TTLS uses the EAP-JUAC has inner authentication protocol (this protocol is made by juniper), in this protocol we have the possiblility to do the host check. (Pre authentication host check)
SecureLink NV
CUSTOMER
Page 8 of 13
This profile will be attached to the Ethernet adapter.
SecureLink NV
CUSTOMER
Page 9 of 13
Adapter config
Here we see that the compliancy check is succesfull and that I meet the security policies.
Logging We can look at the logging of the Infranet Controller to see if authentication and certificate check works.
Succesfull login 2007-11-07 15:54:22 - ic - [192.168.100.55] securelink\wdesmet(Test8021X_Realm)[8021X role] - Connected to 192.168.100.550:agentman port 0
SecureLink NV
CUSTOMER
Page 10 of 13
2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[8021X role] - User assigned to vlan (Tunnel-Medium-Type='802' Tunnel-Type='13' TunnelPrivate-Group-ID='1') 2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[8021X role] - Agent login succeeded for securelink\wdesmet/Test8021X_Realm from 00-17A4-D6-A2-52. 2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[] - Host Checker policy 'Certf_check' passed on host using 802.1X authentication for user 'securelink\wdesmet'. 2007-11-07 15:54:17 - ic - [0.0.0.0] securelink\wdesmet(Test8021X_Realm)[] Primary authentication successful for securelink\wdesmet/SecureLink_AD from 0017-A4-D6-A2-52 You can cleary see that the Machine certificate check Is done before ip assignment!
Failed login 2007-11-07 15:46:50 - ic - [0.0.0.0] SECURELINK\wdesmet(Test8021X_Realm)[] Login failed. Reason: NoRoles 2007-11-07 15:46:50 - ic - [0.0.0.0] SECURELINK\wdesmet(Test8021X_Realm)[] Login failed from 00-17-A4-D6-A2-52 for SECURELINK\wdesmet/Test8021X_Realm. All roles restricted. 2007-11-07 15:46:50 - ic - [0.0.0.0] wdesmet(Test8021X_Realm)[] - Host Checker policy 'Certf_check' failed on host using 802.1X authentication for user 'wdesmet'. Reason: '"Machine certificate has been revoked"'.
SecureLink NV
CUSTOMER
Page 11 of 13
2007-11-07 15:46:50 - ic - [0.0.0.0] SECURELINK\wdesmet(Test8021X_Realm)[] Primary authentication successful for SECURELINK\wdesmet/SecureLink_AD from 00-17-A4-D6-A2-52
You can now see that I don’t have access anymore, and the client tell’s me that I failed one or more security policy’s. If I want to know why I can click on the link to see why:
SecureLink NV
CUSTOMER
Page 12 of 13
Here we see the reason of the disconnect => Machine Certificate has been revoked!!
SecureLink NV
CUSTOMER
Page 13 of 13
Related Documents
How To Machine Certificaten Ssl Uacv1
October 2019 10
How To Apache Ssl
December 2019 31
Ssl
May 2020 24
Ssl
November 2019 36
Ssl
December 2019 37