StoneBlog.stonesoft.com

Few days ago I described a technique using certificate based authentication in StoneGate SSL VPN to match a certificate attribute to user attribute, in order to uniquely identify a user in Directory Service and allow login, perform Single Sign-On (SSO), etc.

In this article I’m taking it one step further, since StoneGate SSL VPN can authenticate a user presenting a valid certificate without even knowing who the user is, and use then whatever field of the certificate to perform SSO to protected resources.

Continue reading »

written by RoarinPenguin - 1,155 views \\ tags: authentication, certificate, SSL VPN

Time has come for a new tech dive for StoneGate SSL VPN, and today I’d like to share with you a nice tip concerning advanced techniques to manage the Single Sign On process with our splendid solution.

The idea is to allow an authentication based on certificate, then if a certificate attributes matches a user attribute in user profile we will pass that parameter for a Single Sign On operation.

Consider the following schema:

Continue reading »

written by RoarinPenguin - 2,619 views \\ tags: certificate, Single Sign-On, SSL VPN, SSO, user attribute

Everyone knows how to manage VPN client certificates through the GUI interface – a request can be created and then signed certificate for it can be easily imported. But what to do when there is an unattended install of the VPN client and it should be managed remotely or at least one has to import certificates for VPN authentication without touching the local GUI?

If external certificates needs to be used, they must be imported manually. This is done as follows:

1) Two files are needed, the certificate file and the private key file. They need to have the same file name body but different suffixes, .crt for the certificate and .prv for the private key. An example of a valid name pair is certificate.crt and certificate.prv.

2) These files have to be copied to the VPN client certificate directory. Copy both files at the same time so that VPN Client sees both files at same time. The certificate directory is
- Vista: “C:\ProgramData\Stonesoft\StoneGate IPsec VPN\certificates”
- XP and 2000: “C:\Documents and Settings\All Users\Application Data\Stonesoft\StoneGate IPsec VPN\certificates”

3) The certificate should now appear in the client GUI. If this is not the case, re-check that the file names are in the format specified in step 1). You may also need to restart the StoneGate IPsec VPN Service.
Similarly certificates can be removed from the GUI – they cannot be deleted by “right-clicking” the appropriate entry, but can be with a filesystem explorer going to the aforementioned directory.

written by DR - 1,327 views \\ tags: certificate, client, VPN