Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Davidson, Brett (Managed Services)
Message
First some background.
 
First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines.
 
What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver.
 
Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients.
 
Started to look at the planning for this and my brain started to hurt.
 
Anyone tried this and can share some gotchas, do's and don'ts?
 

Regards,

Brett Davidson

Reply | Threaded
Open this post in threaded view
|

Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Kyle Hamilton
The Cisco also needs to be exempted from the "authenticated domain
members" rule, unless you can set its identifying certificate up as
authenticatable to the domain.  (You are authenticating against the
Windows 2000 domain, correct?)

There are known issues with restricting access to known machines only.
 See the Microsoft knowledge base for details.  (Primarily, computers
can't change their account passwords, users can't change their
passwords after they expire, since that requires an anonymous
connection, and a couple other things that are fairly annoying.)

'subordinate certificates to web clients'?  Do you mean end-user TLS
authentication certificates?  If so...

It should be possible to set up Certificate Services on a domain
controller, then create a new Certificate Policy that will allow you
to create a subordinate CA.  Then, create an LDAP client (to run on
the webserver) that has a certificate or other means to authenticate
as something has permission to modify user attributes, specifically
user-certificate.

While it should theoretically be possible to send CSRs and then
certificates through the Apache (SuSE) server via mod_proxy, I'm not
entirely certain how the interactions between the domain server and
the client would work in that case.

Hire me as a consultant, and I can help more? ;)

-Kyle H

On 4/2/06, Davidson, Brett (Managed Services) <[hidden email]> wrote:

>
> First some background.
>
> First issue: I'm wanting to establish certificate-driven, IPSec-based
> authentication and access on my local LAN. Participants are mainly Windows
> XP machines (including some laptops via wireless access points which started
> this process) and a SUSE Linux webserver. The current Windows 2000 server
> will have Group Policies implemented restricting access to authenticated
> domain members. (Obviously, the webserver will be excluded from some of
> these policies). Essentially. access to the domain and the domainserver
> should be restricted to known machines.
>
> What also needs to occur is that these same known machines require internet
> access via a Cisco 800 series router. (thus the same IPsec policies on the
> domain need to be applied as authentication-only policies on the router).
> Incoming traffic (as distinct from return traffic) needs to be allowed to
> the webserver.
>
> Second issue is that I wish the Linux webserver to be able to distribute
> subordinate certificates to web clients.
>
> Started to look at the planning for this and my brain started to hurt.
>
> Anyone tried this and can share some gotchas, do's and don'ts?
>
>
> Regards,
>
>
> Brett Davidson
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Davidson, Brett (Managed Services)
I take it that the easiest solution is to establish a
certificate-authenticated VPN instead then?

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kyle Hamilton
Sent: Monday, 3 April 2006 11:26 a.m.
To: [hidden email]
Subject: Re: Newbie questions : 2 issues relating to interaction between
Linux, Windows 2000 and Cisco.


The Cisco also needs to be exempted from the "authenticated domain
members" rule, unless you can set its identifying certificate up as
authenticatable to the domain.  (You are authenticating against the
Windows 2000 domain, correct?)

There are known issues with restricting access to known machines only.
 See the Microsoft knowledge base for details.  (Primarily, computers
can't change their account passwords, users can't change their
passwords after they expire, since that requires an anonymous
connection, and a couple other things that are fairly annoying.)

'subordinate certificates to web clients'?  Do you mean end-user TLS
authentication certificates?  If so...

It should be possible to set up Certificate Services on a domain
controller, then create a new Certificate Policy that will allow you
to create a subordinate CA.  Then, create an LDAP client (to run on
the webserver) that has a certificate or other means to authenticate
as something has permission to modify user attributes, specifically
user-certificate.

While it should theoretically be possible to send CSRs and then
certificates through the Apache (SuSE) server via mod_proxy, I'm not
entirely certain how the interactions between the domain server and
the client would work in that case.

Hire me as a consultant, and I can help more? ;)

-Kyle H

On 4/2/06, Davidson, Brett (Managed Services) <[hidden email]>
wrote:
>
> First some background.
>
> First issue: I'm wanting to establish certificate-driven, IPSec-based
> authentication and access on my local LAN. Participants are mainly
Windows
> XP machines (including some laptops via wireless access points which
started
> this process) and a SUSE Linux webserver. The current Windows 2000
server
> will have Group Policies implemented restricting access to
authenticated
> domain members. (Obviously, the webserver will be excluded from some
of
> these policies). Essentially. access to the domain and the
domainserver
> should be restricted to known machines.
>
> What also needs to occur is that these same known machines require
internet
> access via a Cisco 800 series router. (thus the same IPsec policies on
the
> domain need to be applied as authentication-only policies on the
router).
> Incoming traffic (as distinct from return traffic) needs to be allowed
to
> the webserver.
>
> Second issue is that I wish the Linux webserver to be able to
distribute

> subordinate certificates to web clients.
>
> Started to look at the planning for this and my brain started to hurt.
>
> Anyone tried this and can share some gotchas, do's and don'ts?
>
>
> Regards,
>
>
> Brett Davidson
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Davidson, Brett (Managed Services)
In reply to this post by Kyle Hamilton
I can set the Cisco certificate to authenticate to the W2K domain.
That's reasonably simple.
Deciding what to do about things after that gets a little interesting
but that's another topic... :-)

The anonymous connection requirements for expired passwords I understand
but surely that's just a case of allowing access to the certificate
server on the appropriate ports? (port 80 if web-based authentication is
used, for instance)?
I have read that Windows will not support port-based IPSec rules but
that won't apply in this case.

I wasn't thinking of using the Suse server as a passthrough for
webclient certificate generation; as you surmise I suspect that would be
more trouble than it's worth. There's enough written about how it's
clumsy with ISA server to put me off that.
I was considering using the Suse server as a certificate issuer in it's
own right backed by a higher-level certificate on the W2K machine. (I
don't want web users to authenticate on the domain; at least that's not
a requirement yet, and if so, that should still be possible depending on
the type of certificate issued by the W2K machine).


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kyle Hamilton
Sent: Monday, 3 April 2006 11:26 a.m.
To: [hidden email]
Subject: Re: Newbie questions : 2 issues relating to interaction between
Linux, Windows 2000 and Cisco.


The Cisco also needs to be exempted from the "authenticated domain
members" rule, unless you can set its identifying certificate up as
authenticatable to the domain.  (You are authenticating against the
Windows 2000 domain, correct?)

There are known issues with restricting access to known machines only.
 See the Microsoft knowledge base for details.  (Primarily, computers
can't change their account passwords, users can't change their
passwords after they expire, since that requires an anonymous
connection, and a couple other things that are fairly annoying.)

'subordinate certificates to web clients'?  Do you mean end-user TLS
authentication certificates?  If so...

It should be possible to set up Certificate Services on a domain
controller, then create a new Certificate Policy that will allow you
to create a subordinate CA.  Then, create an LDAP client (to run on
the webserver) that has a certificate or other means to authenticate
as something has permission to modify user attributes, specifically
user-certificate.

While it should theoretically be possible to send CSRs and then
certificates through the Apache (SuSE) server via mod_proxy, I'm not
entirely certain how the interactions between the domain server and
the client would work in that case.

Hire me as a consultant, and I can help more? ;)

-Kyle H

On 4/2/06, Davidson, Brett (Managed Services) <[hidden email]>
wrote:
>
> First some background.
>
> First issue: I'm wanting to establish certificate-driven, IPSec-based
> authentication and access on my local LAN. Participants are mainly
Windows
> XP machines (including some laptops via wireless access points which
started
> this process) and a SUSE Linux webserver. The current Windows 2000
server
> will have Group Policies implemented restricting access to
authenticated
> domain members. (Obviously, the webserver will be excluded from some
of
> these policies). Essentially. access to the domain and the
domainserver
> should be restricted to known machines.
>
> What also needs to occur is that these same known machines require
internet
> access via a Cisco 800 series router. (thus the same IPsec policies on
the
> domain need to be applied as authentication-only policies on the
router).
> Incoming traffic (as distinct from return traffic) needs to be allowed
to
> the webserver.
>
> Second issue is that I wish the Linux webserver to be able to
distribute

> subordinate certificates to web clients.
>
> Started to look at the planning for this and my brain started to hurt.
>
> Anyone tried this and can share some gotchas, do's and don'ts?
>
>
> Regards,
>
>
> Brett Davidson
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Kyle Hamilton
On 4/2/06, Davidson, Brett (Managed Services) <[hidden email]> wrote:
> I can set the Cisco certificate to authenticate to the W2K domain.
> That's reasonably simple.
> Deciding what to do about things after that gets a little interesting
> but that's another topic... :-)
>
> The anonymous connection requirements for expired passwords I understand
> but surely that's just a case of allowing access to the certificate
> server on the appropriate ports? (port 80 if web-based authentication is
> used, for instance)?

If an account (or its password) is expired, it cannot authenticate.
That's part of the problem, and the only way to change it is to allow
anonymous RPC connections.

> I have read that Windows will not support port-based IPSec rules but
> that won't apply in this case.

I'm not sure what you mean by "port-based IPSec rules" -- it does
allow for the creation of policy that states that traffic, incoming or
outgoing, over a given port or set of ports, MUST be IPsec'd.

> I wasn't thinking of using the Suse server as a passthrough for
> webclient certificate generation; as you surmise I suspect that would be
> more trouble than it's worth. There's enough written about how it's
> clumsy with ISA server to put me off that.
> I was considering using the Suse server as a certificate issuer in it's
> own right backed by a higher-level certificate on the W2K machine. (I
> don't want web users to authenticate on the domain; at least that's not
> a requirement yet, and if so, that should still be possible depending on
> the type of certificate issued by the W2K machine).

There are two ways that you could do this -- have the webserver be a
"registration authority", i.e. it accepts CSRs from clients and sends
them on to the certifying authority.

Or, you can have it be an issuer in its own right, which will require
that it have a certificate which is authorized to be a CA (ca:true,
maxDepth=[something greater than 1]) by signing its certificate with
the W2K CA in a CA mode.

(The idea being that anything signed by the CA is authenticated by that CA.)

-Kyle H
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.

Davidson, Brett (Managed Services)
Thanks Kyle. I had not been aware of the "registration authority"
option.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kyle Hamilton
Sent: Monday, 3 April 2006 2:21 p.m.
To: [hidden email]
Subject: Re: Newbie questions : 2 issues relating to interaction between
Linux, Windows 2000 and Cisco.


On 4/2/06, Davidson, Brett (Managed Services) <[hidden email]>
wrote:
> I can set the Cisco certificate to authenticate to the W2K domain.
> That's reasonably simple.
> Deciding what to do about things after that gets a little interesting
> but that's another topic... :-)
>
> The anonymous connection requirements for expired passwords I
understand
> but surely that's just a case of allowing access to the certificate
> server on the appropriate ports? (port 80 if web-based authentication
is
> used, for instance)?

If an account (or its password) is expired, it cannot authenticate.
That's part of the problem, and the only way to change it is to allow
anonymous RPC connections.

> I have read that Windows will not support port-based IPSec rules but
> that won't apply in this case.

I'm not sure what you mean by "port-based IPSec rules" -- it does
allow for the creation of policy that states that traffic, incoming or
outgoing, over a given port or set of ports, MUST be IPsec'd.

> I wasn't thinking of using the Suse server as a passthrough for
> webclient certificate generation; as you surmise I suspect that would
be
> more trouble than it's worth. There's enough written about how it's
> clumsy with ISA server to put me off that.
> I was considering using the Suse server as a certificate issuer in
it's
> own right backed by a higher-level certificate on the W2K machine. (I
> don't want web users to authenticate on the domain; at least that's
not
> a requirement yet, and if so, that should still be possible depending
on
> the type of certificate issued by the W2K machine).

There are two ways that you could do this -- have the webserver be a
"registration authority", i.e. it accepts CSRs from clients and sends
them on to the certifying authority.

Or, you can have it be an issuer in its own right, which will require
that it have a certificate which is authorized to be a CA (ca:true,
maxDepth=[something greater than 1]) by signing its certificate with
the W2K CA in a CA mode.

(The idea being that anything signed by the CA is authenticated by that
CA.)

-Kyle H
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]