Using Client Side Certificates as authentication
For client-side certificate authentication to occur the SA device needs to know the details of the certificate authority that issues these certificates, and to have a trust relationship. This trust relationship is in the form of the CA certificate being imported into the Juniper SA configuration.
To setup a trusted client CA:
1) On the SA device open Configuration > Certificates > Trusted Client CAs > Import CA Certificate
N.B if you have a Microsoft CA installed on your network you can easily export the CA certificate by navigating to the CA’s web interface (http://%servername%certsrv) and you’ll see the option at the bottom of the screen to download the relevant certificate.
2) Select the newly imported trusted CA (the domain name should be displayed in the list of available trusted clients) to further configure the available options, i.e. using a CRL to check for revoked certificates etc.
N.B a CRL can be added by entering the CRL distribution point of the client CA in place. Again, if this is a Microsoft CA the default CRL can be located at http://%servername%certsrvcertcrl.crl.
Under the CRL checking options heading it’s possible to alter such things as the CRL download frequency etc.
Obviously if your SA is placed in a DMZ you’ll need to open the correct ports on the firewall to/from the CA and the SA device(s).
3) Also make sure that the following options are also selected:
- Trusted for client authentication
- Participate in client certificate negotiation
Creating a logon policy that requires users to have a certificate
This will ensure only users with a valid and trusted certificate will be able to log onto a particular realm or role. For this example I’ll show how this policy is applied to a realm, but in reality applying the same policy to a role is a very similar procedure.
1) Open user realms > %RealmName% > Authentication Policy > Certificate
2) Select the option ‘only allow users with a client-side certificate signed by Trusted Client CAs to sign in’
3) You’ll be required to enter details of the fields and values that will be considered valid for login. For the purpose of this example I’ll create a field that will check the organisational name on the certificate and match with the expected value.
Under the Certificate field heading enter ‘o’ (without the quotes). This is the pointer for Organisational name.
Under the Expected value heading enter the name of organisation, i.e. companyA (this will need to match the organisational name of that issued on your certificate from your local CA).
I’ve used the organisation name here, but anything that’s found in the certificate i.e. first/last name, county or country can be used instead, or as well as, the field used in this example.
That’s all there is to it!