Using EAP User Certificate Authentication for Remote Access VPNs - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید















Using EAP User Certificate Authentication for Remote Access VPNs



You can significantly enhance the security of your ISA firewall's VPN remote access client connections by using EAP user certificate authentication. User certificate authentication requires that the user possess a user certificate issued by a trusted certificate authority.



Both the ISA firewall and the remote access VPN client must have the appropriate certificates assignment to them. You must assign the ISA firewall a machine certificate that the firewall can use to identify itself. Users must be assigned user certificates from a certificate authority that the ISA firewall trusts. When both the remote access client machine presenting the user certificate and the ISA firewall contain a common CA certificate in their Trusted Root Certification Authorities certificate stores, the client and server trust the same certificate hierarchy.



The steps required to support user certificate authentication for remote access client VPN connections to the ISA firewall include:







Issuing a machine certificate to the ISA firewall







Configuring the ISA firewall software to support EAP authentication







Enabling User Mapping for EAP authenticated users







Configuring the Routing and Remote Access Service to support EAP authentication







Issuing a user certificate to the remote access VPN client machine







We have discussed the procedures for issuing a machine certificate to the ISA firewall in other chapters in this book and in the ISA Deployment Kits at www.isaserver.org, so we will not reiterate that procedure here. Instead, we'll start with configuring the ISA firewall software to support EAP authentication, and then discuss how to configure the RRAS service and the clients.








Note



The following exercises assume that you have already enabled and configured the ISA firewall's VPN server component before enabling EAP authentication support. Also note that this option is only available when the ISA firewall is a member of a domain. This provides another compelling reason for making the ISA firewall a domain member.





Configuring the ISA Firewall Software to Support EAP Authentication




Perform the following steps to configure the ISA firewall to support EAP authentication:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Virtual Private Networks (VPN) in the left pane of the console.







While in Virtual Private Networks (VPN), click the Tasks tab in the Task pane. On the Tasks tab, click Authentication Methods.







In the Virtual Private Networks (VPN) Properties dialog box, put a checkmark in the Extensible authentication protocol (EAP) with smart card or other certificate (ISA Server must belong to a domain) checkbox (Figure 9.63).








Figure 9.63: Setting EAP Authentication







Read the information in the Microsoft Internet Security and Acceleration Server 2004 dialog box. The dialog box reports that EAP authenticated users belong to the RADIUS namespace and are not part of the Windows namespace. To apply user-based access rules to these users you can either define a RADIUS user set for them or you can use user mapping to map these users to the Windows namespace. If user mapping is enabled, access rules applied to the Windows users and group will be applicable to EAP authenticated users.



This is important information and describes the real utility of the User Mapping feature we discussed earlier in this chapter. Because EAP authentication doesn't use 'Windows' authentication, you cannot by default apply user/group access policy on VPN clients authenticating with EAP user certificates. However, if we enable User Mapping for these users and map the user names of the EAP certificate authenticated users to domain users, then the same access rules that you apply to users who log on using Windows authentication will be applied to the EAP user certificate authenticated users. We'll go over the procedures of enabling and configuring User Mapping in the next procedures in this section.



Click OK (as shown in Figure 9.64) to acknowledge that you read and understand this information.








Figure 9.64: Warning about User Mapping and EAP







Click Apply, and then click OK.






Enabling User Mapping for EAP Authenticated Users




Perform the following steps to enable and configure User Mapping for EAP certificate authenticated users:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Virtual Private Networks (VPN) in the left pane of the console.







While in Virtual Private Networks (VPN), click the Tasks tab in the Task pane. Click Configure VPN Client Access in the Tasks tab.







In the VPN Clients Properties dialog box, click the User Mapping tab.







On the User Mapping tab, put a checkmark in the Enable User Mapping checkbox. Put a checkmark in the When username does not contain a domain, use this domain. Since user certificates don't contain domain names, you should enable this option. In the Domain Name text box, enter a domain name for the domain that the ISA firewall belongs to. This allows the ISA firewall to map the user name of the EAP certificate-authenticated user to accounts in that domain, and then rules applying to those users will apply to the EAP-authenticated users in the same way as they would if the users had authenticated using traditional 'Windows' authentication.







Click Apply and then click OK (Figure 9.65).








Figure 9.65: Enabling User Mapping for EAP Authentication







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.






Issuing a User Certificate to the Remote Access VPN Client Machine




The VPN remote access client machines need to obtain user certificates and be configured to use the certificates to authenticate with the ISA firewall's remote access VPN server.



Perform the following steps to obtain a user certificate for the remote access VPN client:







Open Internet Explorer. In the Address bar, enter the URL for your certificate authority's Web enrollment site, and press ENTER.







Enter Administrator (or any name for which you want to obtain a user certificate) in the User Name text box. Enter the Administrator's password in the Password text box. Click OK.







On the Welcome page of the CA's Web enrollment site, click Request a certificate.







On the Request a Certificate page, click User Certificate.







Click Submit on the User Certificate - Identifying Information page.







Click Yes in the Potential Scripting Violation dialog box informing you that the Web site is requesting a new certificate on your behalf.







On the Certificate Issued page, click Install this certificate.







Click Yes in the Potential Scripting Violation dialog box informing you that the Web site is adding one or more certificates.







Close Internet Explorer.







We can configure the VPN connectoid to use user certificate authentication now that we have a user certificate installed on the remote access VPN client machine:







In the Dial-up and Network Connections window on the external network client, create a new VPN connectoid. Configure the connectoid to use the IP address 192.168.1.70 as the address of the VPN server.







When you complete the connection Wizard, you will see the Connect dialog box. Click Properties.







In the connectoid's Properties dialog box, click the Security tab. On the Security tab (Figure 9.66), select Advanced (custom settings). Click Settings.








Figure 9.66: The Security Tab








In the Advanced Security Settings dialog box (Figure 9.67), select Use Extensible Authentication Protocol (EAP). Click Properties.








Figure 9.67: Enabling EAP Authentication







In the Smart Card or other Certificate Properties dialog box, select Use a certificate on this computer. Place a checkmark by Validate server certificate. Place a checkmark by Connect only if server name ends with, and enter the domain name of the authentication server. In this example, the domain name of our Active Directory domain is msfirewall.org, so enter that name in the text box. In the Trusted root certificate authority list, select the name of the CA that issued the certificates. In this example, the CA name is EXCHANGE2003BE, so select that option. Click OK in the Smart Card or other Certificate Properties dialog box (Figure 9.68).








Figure 9.68: The Smart Card or other Certificate Properties Dialog Box







Click OK in the Advanced Security Settings dialog box.







Click OK in the connecoid's Properties dialog box.







A Connect dialog box appears which contains the name on the user certificate you obtained from the CA (Figure 9.69). Click OK.








Figure 9.69: Selecting the User Certificate for EAP User Authentication







The VPN link will establish, and you'll be authenticated by the DC on the corporate network.



/ 145