This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
SasaSamardzic
Explorer
‎2020-11-27 01:50 AM

VPN connection - device sertificate

Hello,

is it possible to connect  VPN clients with device certificate which is enrolled by Intune in Azure cloud solution.

Specifically, we have established SCEPman service which is intergrated with Intune in Azure. This service enroll device certificate on all our clients (MacOS,Windows,Android and IOS).

I have been research on SK but only founded intergration device certification on-premise AD.

 

Kind Regards

Sasa 

0 Kudos
Reply
9 Replies
G_W_Albrecht
Champion
Champion
‎2020-11-27 04:03 AM

You have to import the CA so the GW will know and use it, see sk103885: How to change the certificate presented by Security Gateway to Remote Access clients.

0 Kudos
Reply
SasaSamardzic
Explorer
‎2020-11-27 04:47 AM
In response to G_W_Albrecht

Hello, but on this tab I have only this option 

This gateway authenticates with this certificate - defaultCert.

How/Where I can upload to see appropriate certificate?

Thanks

Sasa

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-11-27 06:46 PM

For device certificate authentication you must be on R80.40 or above gateway.
You would still need to import a copy of the public CA key from whatever is providing the certificates to your clients.
This is necessary so the device certificate can be validated.

0 Kudos
Reply
SasaSamardzic
Explorer
‎2020-11-29 11:38 AM
In response to PhoneBoy

Hello,

yes, version R80.40 is on gateway. Just to be sure, adding/importing public CA is doing on Trusted CA and on IPSec VPN I should add created CA which will replace existing deafultCert.

After validatation, client should be able connect to VPN (with device certificate), right?

 

Kind Regards

Sasa

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-11-29 07:53 PM
In response to SasaSamardzic

The defaultCert comes from the ICA, so you can't really delete it.
It's also the gateway certificate, not the certificate authority itself.
You have to create an OPSEC CA object where you import the relevant public key.
(That's what it used to be called, it's a Trusted CA object in R80.40)

Screen Shot 2020-11-29 at 7.51.39 PM.png

0 Kudos
Reply
SasaSamardzic
Explorer
‎2020-11-30 12:55 AM
In response to PhoneBoy

Hello,

we did all steps above.

My question is does certificate must be connected to on premise LDAP server or not?

We would use cloud based radius server integrated with microsoft Intune service.

Also please see attachment VPN_clients.png

 

Kind Regards

Sasa

Preview file
15 KB
0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-11-30 02:38 PM
In response to SasaSamardzic

If you want user group information, the gateway will need to be connected to an LDAP server of some sort.

0 Kudos
Reply
SasaSamardzic
Explorer
‎2020-12-01 01:47 AM
In response to PhoneBoy

Thanks for feedback.

So, conclusion is: gateway can not check/validate device certificate directly to Intune if it does not communicate with LDAP in any way.LDAP is mandatory.

Please correct me if I am wrong.

Kind Regards

Sasa

 

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-12-01 09:00 AM
In response to SasaSamardzic

Certificate validation either requires LDAP or HTTPS for CRL checking.
Group information for users requires LDAP. 

0 Kudos
Reply