Is that possible to verify client certificatie when SSL VPN connects?

Reply
Highlighted
Not applicable

Is that possible to verify client certificatie when SSL VPN connects?

I found there is a Client Certificate Profile Option, but I search around seems no Document or Manual description how to use it.

Can anyone help?

Tags (1)

Accepted Solutions
Highlighted
L6 Presenter

Here is an outline of what needs to be done:

1. on your Windows CA create client certificates

2. install the client certificates in each user's browser (one cert per user)

3. import the root CA from Windows on the PAN device under the Client CA Cert (device tab -> certificates -> client CA Cert)

4. create a client certificate profile

    a. select the username field

    b. under CA cert select the one that you imported to the PAN in step 3 and then click add

    c. check "use CRL"

    d. click "OK"

note: if you bought your client certs then you would want to check the OCSP checkbox

5. in your SSL VPN profile select the Client Certificate profile that you created in step 4 then click OK

6. commit

At this point when a user logs into the SSL VPN portal they should be asked to select the client certificate that they wish to use. This should be in their browser and available for them to select.

note: make sure the management interface of the PAN device can access TCP:443 of the CRL server (or the internet if checking against a commercial CA).

View solution in original post


All Replies
Highlighted
L0 Member

I want to use client certificates for SSL VPN authentication too. Does anybody knows how to configure it?

Highlighted
L6 Presenter

Here is an outline of what needs to be done:

1. on your Windows CA create client certificates

2. install the client certificates in each user's browser (one cert per user)

3. import the root CA from Windows on the PAN device under the Client CA Cert (device tab -> certificates -> client CA Cert)

4. create a client certificate profile

    a. select the username field

    b. under CA cert select the one that you imported to the PAN in step 3 and then click add

    c. check "use CRL"

    d. click "OK"

note: if you bought your client certs then you would want to check the OCSP checkbox

5. in your SSL VPN profile select the Client Certificate profile that you created in step 4 then click OK

6. commit

At this point when a user logs into the SSL VPN portal they should be asked to select the client certificate that they wish to use. This should be in their browser and available for them to select.

note: make sure the management interface of the PAN device can access TCP:443 of the CRL server (or the internet if checking against a commercial CA).

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!