Guest

Cisco VPN 3000 Series Concentrators

VPN 3000 Concentrator and VPN Client Authentication using SC2 (TM) Apollo OS Smart Card Configuration Example

Document ID: 62992

Updated: Jan 23, 2006

   Print

Introduction

Contributing Author: Eyal Webber-Zvik, SCsquare Ltd.

This document describes how to use the SC2 TM Ltd. Apollo OS Smart Card for a secured, smart card-based authentication between a Cisco VPN Client and a Cisco VPN 3000 Concentrator.

This document is based on a lab test completed with a Windows 2003 Enterprise Server and Certificate Authority (CA), a Windows XP Professional workstation, and a Cisco VPN 3000 Concentrator.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco VPN 3000 Concentrator version 4.1.3 Released 12-Apr-2004

  • Cisco VPN Client 4.0.3 (D)

  • SC2 TM Apollo OS Smart Card (contact interface) versions 2.3, 2.4, and 2.41

  • SC2 TM Apollo OS Smart Card (dual interface) version 3.01

  • SC2 TM Cryptographic Service Provider (CSP) version 3.11

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Setup

Use the procedures in these sections to configure the VPN 3000 Concentrator and VPN Client Authentication with the use of the SC2 TM Apollo OS Smart Card.

Windows 2003 Enterprise Certificate Authority Installation

Complete these steps in order to install the Windows 2003 Enterprise Certificate Authority.

  1. Choose Control Panel > Add or Remove Programs > Add/Remove Windows Components.

  2. Check Certificate Services and click Next.

    vpn3k-scsquare-1.gif

  3. Choose Enterprise root CA or Stand-alone root CA (this depends on your PKI architecture) and click Next.

    vpn3k-scsquare-2.gif

  4. Enter the common name for your CA, set the validity period of its certificate, and click Next.

    vpn3k-scsquare-3.gif

  5. It is recommended to leave these fields with their default values and click Next.

    vpn3k-scsquare-4.gif

  6. Click Finish.

    vpn3k-scsquare-5.gif

Windows 2003 Enterprise Certificate Authority Configuration

Complete these steps in order to configure Windows 2003 Enterprise Certificate Authority.

  1. Choose Control Panel > Administrative Tools > Certificate Authority.

  2. Right click on Certificate Templates and choose New > Certificate Template to Issue.

    vpn3k-scsquare-6.gif

  3. Choose the Enrollment Agent certificate template and click OK.

    vpn3k-scsquare-7.gif

  4. Repeat steps 1 through 3, choose the Smartcard User certificate template, and click OK.

    vpn3k-scsquare-8.gif

User's Smart Card Digital Certificate Request

Complete these steps to request a user's smart card digital certificate.

  1. Go to the Certificate Authority web interface.

  2. Choose Request a certificate.

    vpn3k-scsquare-9.gif

  3. Choose advanced certificate request.

    vpn3k-scsquare-10.gif

  4. Choose Create and submit a request to this CA.

    vpn3k-scsquare-11.gif

  5. Choose the Smartcard User certificate template.

  6. Choose Apollo SC2 TM CSP.

  7. Verify that all the selections in your form match the selections that the window in step 8 shows.

  8. Click Submit and enter your PIN when requested.

    vpn3k-scsquare-12.gif

    vpn3k-scsquare-13.gif

  9. Once the certificate is issued, click Install this certificate to have the certificate stored on your smart card.

    vpn3k-scsquare-14.gif

  10. This message appears after a successful certificate installation.

    vpn3k-scsquare-15.gif

VPN Client Setup

Complete these steps in order to setup the VPN Client.

  1. Open the browser and go to the CA's Certificate Services page.

  2. Choose Download a CA certificate, certificate chain, or CRL.

    vpn3k-scsquare-16.gif

  3. Verify that all the selections in your form match the selections that the window in step 4 shows.

  4. Choose Download CA certificate.

    vpn3k-scsquare-17.gif

  5. Click Save in order to save the downloaded certificate on your computer.

    vpn3k-scsquare-18.gif

  6. Choose the location on your computer to where you want to save the CA certificate.

  7. Enter a name for the certificate and click Save.

    vpn3k-scsquare-19.gif

  8. Start the VPN Client utility.

    vpn3k-scsquare-20.gif

  9. From the Certificates menu, enable the Show CA/RA Certificate option.

  10. Click Import.

    vpn3k-scsquare-21.gif

  11. In the Import Certificate dialog, select Import from file and click Browse.

    vpn3k-scsquare-22.gif

  12. Choose the CA certificate you previously saved and click Open.

    vpn3k-scsquare-23.gif

  13. This message appears when you successfully import the certificate.

    vpn3k-scsquare-24.gif

  14. The CA certificate is now listed in the VPN Client application, under the Certificates tab.

    vpn3k-scsquare-25.gif

VPN 3000 Concentrator Configuration

Complete these steps in order to configure the VPN 3000 Concentrator.

  1. Enter the VPN 3000 Concentrator Series Manager administration web interface.

  2. Login as Administrator.

    vpn3k-scsquare-26.gif

  3. On the left side of your screen select Configuration > Tunneling and Security > IPSec > IKE Proposals.

  4. Click Add (in the middle of the screen) to add a new IKE proposal.

    vpn3k-scsquare-27.gif

  5. In the Add form, fill the required fields as this window shows.

    vpn3k-scsquare-28.gif

  6. Click Add when you are done.

  7. Verify that the new IKE proposal is listed in the Active Proposals list, and click the Save Needed link on the upper right corner of the form.

    vpn3k-scsquare-29.gif

  8. On the left side of your screen, select Administration > Certificate Management > Installation.

  9. Choose Install CA certificate.

    vpn3k-scsquare-30.gif

  10. Choose Upload File from Workstation.

    vpn3k-scsquare-31.gif

  11. Click Browse and select your CA certificate file (the one you previously saved).

    vpn3k-scsquare-32.gif

  12. On the left side of your screen select Administration > Certificate Management.

  13. Verify that the CA certificate is listed in the Certificate Authorities certificates table.

    vpn3k-scsquare-33.gif

  14. On the left side of your screen select Administration > Certificate Management > Enrollment > Identity Certificate > PKCS10.

  15. Complete the form fields as this window shows and click Enroll when you are done.

    vpn3k-scsquare-34.gif

  16. A new window opens with the PKCS#10 certificate request in it.

VPN Concentrator Identity Certificate (VPN Certificate) Request

Complete these steps in order to request a VPN Concentrator identity certificate (VPN Certificate).

  1. Copy the entire contents of the certificate request to the clipboard.

    vpn3k-scsquare-35.gif

  2. Go to the Certificate Authority web interface and select Request a certificate.

    vpn3k-scsquare-36.gif

  3. Choose advanced certificate request.

    vpn3k-scsquare-37.gif

  4. Choose Submit a certificate request by using a base-64-encoded....

    vpn3k-scsquare-38.gif

  5. Paste the request you previously copied to the clipboard into the Saved Request edit box.

  6. In the Certificate Template, select Web Server.

  7. Click Submit.

    vpn3k-scsquare-39.gif

  8. When you are done, click Save to save the issued certificate to your computer.

    vpn3k-scsquare-40.gif

  9. Return to the VPN 3000 Concentrator administration web interface.

  10. Login as Administrator.

  11. On the left side of your screen, select Administration > Certificate Management > Installation.

  12. Choose Installed certificate obtained via enrollment.

    vpn3k-scsquare-41.gif

  13. Click the Install link.

    vpn3k-scsquare-42.gif

  14. Choose Upload File from Workstation.

    vpn3k-scsquare-43.gif

  15. Click Browse and select the saved certificate.

    vpn3k-scsquare-44.gif

  16. Verify that the certificate is listed in the Identity Certificates table.

    vpn3k-scsquare-45.gif

  17. On the left side of your screen, select Configuration > Policy Management > Traffic Management > SAs.

  18. Click Add to add a new SA.

    vpn3k-scsquare-46.gif

  19. In the Add page, complete the form fields as this window shows and click Add.

    vpn3k-scsquare-47.gif

  20. On the left side of your screen, select Configuration > User Management > Groups.

  21. Click Add Group to add a new group.

    vpn3k-scsquare-48.gif

  22. In the Identity tab of the group add page, fill the form fields as this window shows and go to the General tab when you are done.

    vpn3k-scsquare-49.gif

  23. In the General tab, complete the form fields as this window shows and go to the IPSec tab when you are done.

    vpn3k-scsquare-50.gif

  24. In the IPSec tab, complete the form fields as this window shows and click Add.

    vpn3k-scsquare-51.gif

  25. On the left side of your screen, select Configuration > User Management > Users and click Add to add a new user.

    vpn3k-scsquare-52.gif

  26. In the Identity tab of the add user page, complete the form fields as this window shows and click Add.

    vpn3k-scsquare-53.gif

VPN Client Configuration

Complete these steps in order to configure the VPN Client.

  1. Start the VPN Client application.

    vpn3k-scsquare-54.gif

  2. Go to the Connection Entries tab and click New to add a new connection entry.

  3. In the Create New VPN Connection Entry dialog, complete the form fields as this window shows and click Save.

    vpn3k-scsquare-55.gif

  4. Choose the new connection you have just created and click Connect.

    vpn3k-scsquare-56.gif

  5. When the SC2 TM CSP popup dialog appears, enter the PIN code to your smart card.

    vpn3k-scsquare-57.gif

  6. When the VPN Client application popup dialog appears, enter the Username and Password to your VPN account.

    vpn3k-scsquare-58.gif

  7. You are now connected to the VPN. The active connection is indicated in the VPN Client application status bar as well as in the system tray as a closed lock.

    vpn3k-scsquare-59.gif

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Related Information

Updated: Jan 23, 2006
Document ID: 62992