VPN 3000 Concentrator and VPN Client Authentication using SC2 (TM) Apollo OS Smart Card Configuration Example

This document describes how to use the SC² ^TM Ltd. Apollo OS Smart Card for a secured, smart card-based authentication between a Cisco VPN Client and a Cisco VPN 3000 Concentrator.

This document is based on a lab test completed with a Windows 2003 Enterprise Server and Certificate Authority (CA), a Windows XP Professional workstation, and a Cisco VPN 3000 Concentrator.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

Cisco VPN 3000 Concentrator version 4.1.3 Released 12-Apr-2004
Cisco VPN Client 4.0.3 (D)
SC^{2 TM} Apollo OS Smart Card (contact interface) versions 2.3, 2.4, and 2.41
SC^{2 TM} Apollo OS Smart Card (dual interface) version 3.01
SC^{2 TM} Cryptographic Service Provider (CSP) version 3.11

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Choose Control Panel > Add or Remove Programs > Add/Remove Windows Components.
Check Certificate Services and click Next.
Choose Enterprise root CA or Stand-alone root CA (this depends on your PKI architecture) and click Next.
Enter the common name for your CA, set the validity period of its certificate, and click Next.
It is recommended to leave these fields with their default values and click Next.
Click Finish.

Windows 2003 Enterprise Certificate Authority Configuration

Complete these steps in order to configure Windows 2003 Enterprise Certificate Authority.

Choose Control Panel > Administrative Tools > Certificate Authority.
Right click on Certificate Templates and choose New > Certificate Template to Issue.
Choose the Enrollment Agent certificate template and click OK.
Repeat steps 1 through 3, choose the Smartcard User certificate template, and click OK.

User's Smart Card Digital Certificate Request

Complete these steps to request a user's smart card digital certificate.

Go to the Certificate Authority web interface.
Choose Request a certificate.
Choose advanced certificate request.
Choose Create and submit a request to this CA.
Choose the Smartcard User certificate template.
Choose Apollo SC^{2 TM} CSP.
Verify that all the selections in your form match the selections that the window in step 8 shows.
Click Submit and enter your PIN when requested.
Once the certificate is issued, click Install this certificate to have the certificate stored on your smart card.
This message appears after a successful certificate installation.

VPN Client Setup

Complete these steps in order to setup the VPN Client.

Open the browser and go to the CA's Certificate Services page.
Choose Download a CA certificate, certificate chain, or CRL.
Verify that all the selections in your form match the selections that the window in step 4 shows.
Choose Download CA certificate.
Click Save in order to save the downloaded certificate on your computer.
Choose the location on your computer to where you want to save the CA certificate.
Enter a name for the certificate and click Save.
Start the VPN Client utility.
From the Certificates menu, enable the Show CA/RA Certificate option.
Click Import.
In the Import Certificate dialog, select Import from file and click Browse.
Choose the CA certificate you previously saved and click Open.
This message appears when you successfully import the certificate.
The CA certificate is now listed in the VPN Client application, under the Certificates tab.

VPN 3000 Concentrator Configuration

Complete these steps in order to configure the VPN 3000 Concentrator.

Enter the VPN 3000 Concentrator Series Manager administration web interface.
Login as Administrator.
On the left side of your screen select Configuration > Tunneling and Security > IPSec > IKE Proposals.
Click Add (in the middle of the screen) to add a new IKE proposal.
In the Add form, fill the required fields as this window shows.
Click Add when you are done.
Verify that the new IKE proposal is listed in the Active Proposals list, and click the Save Needed link on the upper right corner of the form.
On the left side of your screen, select Administration > Certificate Management > Installation.
Choose Install CA certificate.
Choose Upload File from Workstation.
Click Browse and select your CA certificate file (the one you previously saved).
On the left side of your screen select Administration > Certificate Management.
Verify that the CA certificate is listed in the Certificate Authorities certificates table.
On the left side of your screen select Administration > Certificate Management > Enrollment > Identity Certificate > PKCS10.
Complete the form fields as this window shows and click Enroll when you are done.
A new window opens with the PKCS#10 certificate request in it.

VPN Concentrator Identity Certificate (VPN Certificate) Request

Complete these steps in order to request a VPN Concentrator identity certificate (VPN Certificate).

Copy the entire contents of the certificate request to the clipboard.
Go to the Certificate Authority web interface and select Request a certificate.
Choose advanced certificate request.
Choose Submit a certificate request by using a base-64-encoded....
Paste the request you previously copied to the clipboard into the Saved Request edit box.
In the Certificate Template, select Web Server.
Click Submit.
When you are done, click Save to save the issued certificate to your computer.
Return to the VPN 3000 Concentrator administration web interface.
Login as Administrator.
On the left side of your screen, select Administration > Certificate Management > Installation.
Choose Installed certificate obtained via enrollment.
Click the Install link.
Choose Upload File from Workstation.
Click Browse and select the saved certificate.
Verify that the certificate is listed in the Identity Certificates table.
On the left side of your screen, select Configuration > Policy Management > Traffic Management > SAs.
Click Add to add a new SA.
In the Add page, complete the form fields as this window shows and click Add.
On the left side of your screen, select Configuration > User Management > Groups.
Click Add Group to add a new group.
In the Identity tab of the group add page, fill the form fields as this window shows and go to the General tab when you are done.
In the General tab, complete the form fields as this window shows and go to the IPSec tab when you are done.
In the IPSec tab, complete the form fields as this window shows and click Add.
On the left side of your screen, select Configuration > User Management > Users and click Add to add a new user.
In the Identity tab of the add user page, complete the form fields as this window shows and click Add.

VPN Client Configuration

Complete these steps in order to configure the VPN Client.

Start the VPN Client application.
Go to the Connection Entries tab and click New to add a new connection entry.
In the Create New VPN Connection Entry dialog, complete the form fields as this window shows and click Save.
Choose the new connection you have just created and click Connect.
When the SC^{2 TM} CSP popup dialog appears, enter the PIN code to your smart card.
When the VPN Client application popup dialog appears, enter the Username and Password to your VPN account.
You are now connected to the VPN. The active connection is indicated in the VPN Client application status bar as well as in the system tray as a closed lock.