SSL VPN
Reply
Visitor
Posts: 4
Registered: ‎02-03-2009
0
Accepted Solution

Info. needed on Certificate-only Authentication

Hi All, 

 I'm new to the IVE and forum so excuse the ignorance.  I presently have 2 factor auth.(cert and AD)  and SSO to Outlook2007/OWA working great on 6.3R2. I have created a different realm for users that I want to use certificate-only authentication.   I cannot get it to work, I still get the login page. Appearently I'm missing something.  Can I do SSO with Cert-only auth. ?

Some direction would be appreciated and remember I'm new to the IVE so don't worry about insulting me. All info. is appreciated.

Distinguished Expert
muttbarker
Posts: 2,294
Registered: ‎01-29-2008

Re: Info. needed on Certificate-only Authentication

Hey Powerman - welcome to the forum - SSO w/certs - three steps:

 

#1- Create a client side side from your internal cert server and import it into the SA box. This will be the cert that resides on client PCs and that the SA unit will match against.  Import is done under the Config/Certs/Trusted Client CA's tab.

#2- Define an auth server for the certificate login process.

#3 - Define a user realm that uses that auth server for the auth process.

 

Very simple, straightforward - if you run into any issues post away.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 4
Registered: ‎02-03-2009
0

Re: Info. needed on Certificate-only Authentication

Thanks for the info. and that confirms I was on the right track.  Still having the same trouble so I'm missing something.  Should the user cert be a browser cert or machine cert?  I created a Certificate server for auth w/default settings on the IVE.  Should I use authoration or authentication?    Any suggestion?
Distinguished Expert
muttbarker
Posts: 2,294
Registered: ‎01-29-2008

Re: Info. needed on Certificate-only Authentication

[ Edited ]

1- User cert should be a browser cert

2- Use the auth-server you defined for authentication to the realm. Then user whatever else for authorization / role mapping IE - LDAP....

3- When you downloaded the CA certificate for installing into the IVE did you use an encoding method of
"Base 64"?

4- Does it read "trusted for client authentication?

 

If you are still stuck I can send you the documentation (screen shots) that I did for my customers. We are resellers on this product so I put together a high level "how to" for my end user customers.

 

I am out of the office today but could pull it off my documentation server tomorrow and send it if would help.

Message Edited by muttbarker on 02-03-2009 02:49 PM
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 4
Registered: ‎02-03-2009
0

Re: Info. needed on Certificate-only Authentication

I'm embarassed to say it but "I'm not smarter than a fith grader".  When I read the email you sent I realized that I was forgetting to change my sign-in page so it would not show the login page. If I had entered the realm only it would have worked. Thanks for the assistance and I'll get back to you about the file you sent. 

 

You desrve KUDOS for this and as soon as I find how to do it, I will. Thanks Again

drf
Contributor
drf
Posts: 46
Registered: ‎09-23-2008
0

Re: Info. needed on Certificate-only Authentication

Powerman,

 

You said that "I still get the login page." Are you saying that you cannot login to the IVE with your certificate realm or that the SSO is not working and you get the OWA login page?

 

Make sure that your browser contains the correct Certificate Authorities and the "Trusted Client CA" in the IVE is set to allow Client Authentication

Visitor
cmcguire
Posts: 6
Registered: ‎01-26-2010
0

Re: Info. needed on Certificate-only Authentication

Kevin,

 

Wondering if you'd be able to shoot me a copy of your how-to/screenshot document for setting up Certificate authentication on the SSL platform. I've not done it before and it sounds like your doc would be a great help.

 

Thanks in advance.

 

Colin McGuire

Distinguished Expert
muttbarker
Posts: 2,294
Registered: ‎01-29-2008
0

Re: Info. needed on Certificate-only Authentication

Sure - send me your email via private message and I will shoot you a copy.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
MRK
Visitor
MRK
Posts: 3
Registered: ‎11-09-2009
0

Re: Info. needed on Certificate-only Authentication

 

Hi I have same problem, can you forward me the documentation to kkd_mrk@yahoo.com ?

 

Thanks in advance.

Distinguished Expert
muttbarker
Posts: 2,294
Registered: ‎01-29-2008
0

Re: Info. needed on Certificate-only Authentication

Check your inbox!

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.