topic VPN connection - device sertificate in SASE and Remote Access

VPN connection - device sertificate

SasaSamardzic — Fri, 27 Nov 2020 09:50:18 GMT

Hello,

is it possible to connect VPN clients with device certificate which is enrolled by Intune in Azure cloud solution.

Specifically, we have established SCEPman service which is intergrated with Intune in Azure. This service enroll device certificate on all our clients (MacOS,Windows,Android and IOS).

I have been research on SK but only founded intergration device certification on-premise AD.

Kind Regards

Sasa

Re: VPN connection - device sertificate

G_W_Albrecht — Fri, 27 Nov 2020 12:03:36 GMT

You have to import the CA so the GW will know and use it, see sk103885: How to change the certificate presented by Security Gateway to Remote Access clients.

Re: VPN connection - device sertificate

SasaSamardzic — Fri, 27 Nov 2020 12:47:09 GMT

Hello, but on this tab I have only this option

This gateway authenticates with this certificate - defaultCert.

How/Where I can upload to see appropriate certificate?

Thanks

Sasa

Re: VPN connection - device sertificate

PhoneBoy — Sat, 28 Nov 2020 02:46:44 GMT

For device certificate authentication you must be on R80.40 or above gateway.
You would still need to import a copy of the public CA key from whatever is providing the certificates to your clients.
This is necessary so the device certificate can be validated.

Re: VPN connection - device sertificate

SasaSamardzic — Sun, 29 Nov 2020 19:38:06 GMT

Hello,

yes, version R80.40 is on gateway. Just to be sure, adding/importing public CA is doing on Trusted CA and on IPSec VPN I should add created CA which will replace existing deafultCert.

After validatation, client should be able connect to VPN (with device certificate), right?

Kind Regards

Sasa

Re: VPN connection - device sertificate

PhoneBoy — Mon, 30 Nov 2020 03:53:36 GMT

The defaultCert comes from the ICA, so you can't really delete it.
It's also the gateway certificate, not the certificate authority itself.
You have to create an OPSEC CA object where you import the relevant public key.
(That's what it used to be called, it's a Trusted CA object in R80.40)

Re: VPN connection - device sertificate

SasaSamardzic — Mon, 30 Nov 2020 08:55:24 GMT

Hello,

we did all steps above.

My question is does certificate must be connected to on premise LDAP server or not?

We would use cloud based radius server integrated with microsoft Intune service.

Also please see attachment VPN_clients.png

Kind Regards

Sasa

Re: VPN connection - device sertificate

PhoneBoy — Mon, 30 Nov 2020 22:38:20 GMT

If you want user group information, the gateway will need to be connected to an LDAP server of some sort.

Re: VPN connection - device sertificate

SasaSamardzic — Tue, 01 Dec 2020 09:47:14 GMT

Thanks for feedback.

So, conclusion is: gateway can not check/validate device certificate directly to Intune if it does not communicate with LDAP in any way.LDAP is mandatory.

Please correct me if I am wrong.

Kind Regards

Sasa

Re: VPN connection - device sertificate

PhoneBoy — Tue, 01 Dec 2020 17:00:17 GMT

Certificate validation either requires LDAP or HTTPS for CRL checking.
Group information for users requires LDAP.

Re: VPN connection - device sertificate

Sergo89 — Mon, 26 Sep 2022 18:40:11 GMT

Hi Sasa, did you implement this project? everything works? i would like to do same thing. How did you configure client? like "Personal certificate"?

thanks

Re: VPN connection - device sertificate

SasaSamardzic — Thu, 29 Sep 2022 12:50:34 GMT

Hi Sergo89,

unfortunately not. Riht now, we are using "Personal Certificate".

@PhoneBoy is there any progress regarding Device Certificate without LDAP? We are on R81 version CP

Sasa

Re: VPN connection - device sertificate

Sergo89 — Thu, 29 Sep 2022 14:44:58 GMT

Thanks Sasa,

could you advise how to configure "Personal cert"? i couldnt find normal step by step description.

first step (i guess) i have install local cert from domain CA, what's next? and how to get certs for each remote client (or it will be just one cert)?

thanks

Re: VPN connection - device sertificate

PhoneBoy — Thu, 29 Sep 2022 14:57:57 GMT

In terms of validating the certificate, the relevant CA key as to be configured as trusted.
Based on the other responses in this thread, you have not done this yet.
Once you do this, you can issue certificates from your Certificate Authority.

If you want to treat some users differently in your access policy, we need some way to differentiate the users.
That either means:

Creating each user locally with the appropriate authentication method and adding them to a group
Using LDAP

Nothing has changed here.

Re: VPN connection - device sertificate

SasaSamardzic — Fri, 30 Sep 2022 06:39:33 GMT

@PhoneBoy Thanks

@Sergo89 Link bellow describe PKI.When every users get private certificate, additional configuration on CP is need (communication with local AD), on Autchentication tab for VPN clients create new connection with certificate

https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

Re: VPN connection - device sertificate

michele — Thu, 22 Jun 2023 13:02:51 GMT

Hi, did you succeed in any way? i also have scepman (including radius); my clients connect via capsule (now user and password); i would like to raise the security level but without changing the client