FireBrick Road Warrior Certificate Authentication: Difference between revisions
(adding initial page) |
No edit summary |
||
Line 1: | Line 1: | ||
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator> |
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator> |
||
It is possible to use Client Certificate authentication instead of using EAP Users. |
It is possible to use Client Certificate authentication instead of using EAP Users. This method may be preferable to some, as your EAP password is not viewable from the FireBrick's configuration. |
||
This page is a work-in-progress and is not currently complete. |
This page is a work-in-progress and is not currently complete. |
||
Line 35: | Line 35: | ||
= Step 2 - Configuring the FireBrick= |
= Step 2 - Configuring the FireBrick= |
||
The configuration of the FireBrick is much the same as the configuration for using EAP secrets at [[FireBrick_Road_Warrior_FireBrick_Config]], but with two changes: |
|||
* peer-auth-method is set to "Certificate" rather than EAP |
|||
* no need to add any EAP users. |
|||
Example: |
|||
<syntaxhighlight lang=xml> |
|||
<ipsec-ike> |
|||
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="Certificate" mode="Wait" local-ID="FQDN:server.example.com"/> |
|||
<roaming name="roam-pool" ip="[ranges of LAN IPs]" DNS="[DNS, e.g. 8.8.8.8]"/> |
|||
</ipsec-ike> |
|||
</syntaxhighlight> |
|||
= Step 3 - Configuring Devices= |
= Step 3 - Configuring Devices= |
Revision as of 14:53, 19 Ocak 2018
It is possible to use Client Certificate authentication instead of using EAP Users. This method may be preferable to some, as your EAP password is not viewable from the FireBrick's configuration.
This page is a work-in-progress and is not currently complete.
Step 1 - Generating Certificates
Creating Certificates
Follow the guidance at FireBrick Road Warrior Certificates to generate the usual set of certificates required for Road Warrior.
Generate a Client Key
Using the make-key script you used during the previous steps to generate your certificates, you will need to generate a Client Key for your device.
./make-key client-key.pem
Generate the Client Certificate
Using a tool such as wget, download the make-client-cert script. This is a modified version of the make-cert script that changes extended=extendedKeyUsage=serverAuth to extended=extendedKeyUsage=clientAuth, to generate the client certificate.
wget http://www.firebrick.co.uk/tools/make-client-cert
Once downloaded, run the script to generate your Client Certificate, remembering to change the FQDN to the one you are using for your FireBrick.
./make-client-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=client-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem client-cert.pem
Convert your Client Certificate to a PKCS#12 file
The .pfx file, in PKCS #12 format is your actual Client Certificate that you will install on the end-device, such as Android or iOS.
openssl pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem -certfile ca-cert.pem
Remember to set a password on this - you will need to use it when you import the certificate to your device.
Step 2 - Configuring the FireBrick
The configuration of the FireBrick is much the same as the configuration for using EAP secrets at FireBrick_Road_Warrior_FireBrick_Config, but with two changes:
- peer-auth-method is set to "Certificate" rather than EAP
- no need to add any EAP users.
Example:
<ipsec-ike>
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="Certificate" mode="Wait" local-ID="FQDN:server.example.com"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs]" DNS="[DNS, e.g. 8.8.8.8]"/>
</ipsec-ike>