There is a METHOD 1 and a METHOD 2 to install the root certificates.This document provides a sample configuration on Cisco Adaptive Security Appliance (ASA) for AnyConnect VPN remote access for MAC Support with the Common Access Card (CAC) for authentication.Since Catalina now accepts DoD CAC cards too logon to Mac the helper reader apps have to be removed and Catalina doesnt temporarily add the CAC to the.InstallRoot Tool. To do this, open the certificate and scroll down in the text. Next check that all your certificates show up as valid, if not you will need to install the root certificate. This will prove that you have a good CAC reader and that its talking to the OS.Instructions for backing up SSL Certificates in Mac OS X Lion to a. NOTE2: Mac OS 11.xx.x would not read the 'G+D FIPS 201 SCE 7.0' CAC with. The browser retrieves the selected certificate from the smart card which triggers the CAC/PIV.The scope of this document is to cover the configuration of Cisco ASA with Adaptive Security Device Manager (ASDM), Cisco AnyConnect VPN Client and Microsoft Active Directory (AD)/Lightweight Directory Access Protocol (LDAP).NOTE: I tested with both the Identive SCR3310v2.0 USB Smart Card Reader (USB type C) and the Identive SCR3500C USB Smartfold Card Reader (USB type C), the AvidCard CACC USB Smart Card Reader (USB type C) did NOT work for me utilizing a G+D FIPS 201 SCE 3.2 CAC or 7.0 CAC. Select your corresponding computer architecture type from the links below: (NIPR Windows Installer, for SIPR certificates access DISAs site directly from a SIPR machine)McAfee Network Security Platform 9.1.x Installation Guide.Prerequisites RequirementsA basic understanding of Cisco ASA, Cisco AnyConnect Client, Microsoft AD/LDAP and Public Key Infrastructure (PKI) is beneficial in the comprehension of the complete setup. This document also covers advanced features such as OCSP, LDAP attribute maps and Dynamic Access Polices (DAP). Read about transferring Mac 10.7 certificate files here.The configuration in this guide uses Microsoft AD/LDAP server.
Certificates For Cac Card On Mac The HelperCisco ASA ConfigurationThis section covers the configuration of Cisco ASA via ASDM. ConventionsRefer to the Cisco Technical Tips Conventions for more information on document conventions. If your network is live, make sure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. Components UsedThe information in this document is based on these software and hardware versions:Cisco 5500 Series Adaptive Security Appliance (ASA) that runs the software version 8.0(x) and laterCisco Adaptive Security Device Manager (ASDM) version 6.x for ASA 8.xCisco AnyConnect VPN Client 2.2 with MAC SupportThe information in this document was created from the devices in a specific lab environment. DoD mandates OCSP checking but the tunnel works without OCSP configured.The sections highlighted in BLUE are advanced features that can be included to add more security to the design.ASDM and AnyConnect/SSL VPN can not use the same ports on the same interface. For example, a VPN tunnel can be setup with the CAC card without doing OCSP checks, LDAP mappings and Dynamic Access Policy (DAP) checks. It is assumed that the network operator is familiar with these configurations.Refer to Multifunction Security Appliances for more information.The sections highlighted in RED are mandatory configurations needed for basic VPN access. Deployment ConsiderationsThis guide does NOT cover basic configurations such as interfaces, DNS, NTP, routing, device access, ASDM access and so forth. The CAC certificate is used for authentication and the User Principal Name (UPN) attribute in the certificate is populated in active directory for authorization. The certificate must be valid for remote access to the network. The ASA image required is at least 8.0.2.19 and ASDM 6.0.2.See Appendix A for LDAP & Dynamic Access Policy mapping examples for additional policy enforcement.See Appendix D on how to check LDAP objects in MS.See Related Information for a list of application ports for firewall configuration.Authentication, Authorization, Accounting (AAA) ConfigurationYou are authenticated with the use of the certificate in their Common Access Card (CAC) through the DISACertificate Authority (CA) Server or the CA server of their own organization. The ASDM URL access has changed in 8.x. For example, use port 445 for ASDM and leave 443 for AC/SSL VPN. See Appendix A for additional configuration with LDAP object mapping. The UPN or EDI/PI must be in this format, These configurations show how to configure AAA server in the ASA with an LDAP server for authorization. Department of Defense (DoD) requires the use of the User Principal Name (UPN) attribute for authorization, which is part of the Subject Alternative Name (SAN) section of the certificate. The default LDAP port is 389.Enter Base DN. This guide shows inside the interface.Enter server port. See Figure 2.Note: Choose the Enable LDAP over SSL option if your LDAP/AD is configured for this type of connection.Choose the interface where the LDAP is located. Make sure that the server you created is highlighted in the previous table.In the edit AAA server window, complete these steps. See Figure 1.In Servers in the selected group table, click Add. A Dual SAN certificate is not required.Note: The local machine also has to have the DoD CA chain installed. An SSL certificate should be sufficient for the ASA for remote access. But, if you choose not to use OCSP, the OCSP certificate does not need to be installed.Note: Contact your security POC in order to obtain root certificates as well as instructions on how to enroll for an identity certificate for a device. DoD PKI utilizes these certificates, Root CA2, Class 3 Root, CA# Intermediate that the ASA is enrolled with, ASA ID certificate and OCSP certificate. Secondly, enroll the ASA to a specific CA and obtain the identity certificate. First, install the CA certificates (Root and Subordinate Certificate Authority) needed. Mac mail 9 emulatorAll of the current CA intermediates fall under the CA2 and Class 3 Root chain and are trusted as long as the CA2 and Class 3 Roots are added. Ask your PKI POC for more information.Note: DoD CA2 and Class 3 Root as well as the ASA ID and CA intermediate that issued the ASA cert should be the only CAs needed for user authentication. DoD has produced a batch file that automatically adds all of the CAs to the machine. Figure 4: Installing Root CertificateThis window should appear. Complete the previous above steps in order to add a second key.Choose Remote Access VPN > Certificate Management > CA Certificate > Add.Choose Install from File and browse to the certificate.Choose Install Certificate. A second key that uses a 2048 bit key pair should be generated to be able to use this CA. Figure 3Note: DoD Root CA 2 uses a 2048 bit key. Click on the radio to add a new key. See figure 7 Figure 7: Identity Certificate ParametersGo to the Certificate subject DN box and click Select.In the Certificate Subject DN window, enter the information of the device. Figure 6: Installing Root CertificateEnroll ASA and Install Identity CertificateChoose the DoD-1024 Key Pair. The OCSP certificate is not needed if you do not use OCSP. DoD PKI requires a certificate for each of these: Root CA 2, Class 3 Root, CA# Intermediate, ASA ID and OCSP Server. Refer to Exporting and Importing Trustpoints for more information.Note: Click SAVE in order to save the configuration in flash memory.
0 Comments
Leave a Reply. |
AuthorDanny ArchivesCategories |