2 Replies Latest reply on Jul 18, 2013 6:29 PM by Jon Scholten

    Using client certficates for authentication on wg 7.2.0.8.0

      Hi,

      I already have a kerberos authentication / WebGateway ruleset working as per this excellent guide.

       

      Jon ScholtenHow To: Setup Kerberos Authentication on Web Gateway 7.x

       

      I now want to extend the authentictaion to handle browser/device which offer a client certificate (actually Safari on IPads).

       

      I am looking for a bit of advice on what to do.

       

      I understand that I can create a new authentication method under settings which is of type "SSL client Certificate".

       

      What are the next steps ? I see candidate rules sets in the library but not sure which ones are appropriate

       

      any guidance gratefully recieved

       

      Thanks

       

      Marduk

        • 1. Re: Using client certficates for authentication on wg 7.2.0.8.0
          Jon Scholten

          Hi Marduk!

           

          I'm glad you liked my Kerberos guide! I hope I can help with x509 stuff too!

           

          This is something that has been brought up here:

          https://community.mcafee.com/message/280186#280186

          https://community.mcafee.com/message/295307#295307

           

          To achieve this we need to modify the default "Authentication Server" rules. Details on the "Authentication Server" can be found here:

          https://community.mcafee.com/docs/DOC-4384

           

          Effectivley, all that is done with the "authentication server" rules is; you redirect the user to a URL on the MWG; the MWG then authenticates them (using whatever method (NTLM kerberos x509) and then MWG stores a "session" which ties the user's IP to their username for X ammount of time.

           

          In the thread raised by jps (https://community.mcafee.com/message/280186#280186), he setup his iPads with a separate proxy pac file. He was then able to create a separate proxy port for those users, and create separate authentication rules to apply to them.

           

          I would suggest using this method (distiguishing the users based on proxy port) in order to decide if you want to perform certificate authentication or not.

           

          Attached is a ruleset you can use to TEST this out.

           

          It consists of two main ruleset components.

          rules.png

           

          1. "Check for valid authentication session" - This is where MWG looks in its internal session database. If it finds a valid entry for your IP address, then it populates all of your authentication information accordingly. If it does not find a valid session for your IP address, then it will redirect you to the URL configured in the "Authentication Server (port 444)" settings.

           

          2. "Authentication Server" - This is where the MWG actually authenticates you after you have been redirected according to "Authentication Server (port 444)". Read over "https://community.mcafee.com/docs/DOC-4384" for more details on this. This ruleset can be moved out on its own at the top of the ruleset if needed.

           

          Some of the subcomponents are:

           

          1. You need to create an additional proxy port, just for the Authentication Server communication (in the example I used port 444). This is done on each MWG under Configuration > Proxies, then add a new listener and set ports treated as SSL to '*'.

          1_proxy_port.png

           

           

          2. Redirect URL - Leave alone to start. This will need to be configured correctly such that the client machine does not complain. The default is set to:

          https://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:444

          2_auth_server_url.png

           

          3. Enrollment page or MWG generated certificates - How will the clients be getting their certificates? If they fail to present a certificate how do you want MWG to handle it? In the rules you can configure a fail over page, where MWG will redirect them to your enrollment web page to get a certificate.

          3_enrollment.png

           

          4. Certificate for authentication server - The communication with MWG must be secure. As such you will need a web server certificate configured in the rules this is done under Default Certificate Based Authentication > Authentication Server > SSL Handling > Accept Incoming HTTPS Connections

          4_authserver_certificate.png

           

          5. Certificate for verifying certs presented by the clients - In order for x509 auth to work, you need a CA that is signing all of the client certificates. The public certificate can be imported into the MWG, so the MWG can verify the authority on the client cert.

          5_x509_auth.png

           

          I hope to add this to my authentication guide, but this should help you and others get started.

           

          Best,

          Jon

          • 2. Re: Using client certficates for authentication on wg 7.2.0.8.0
            Jon Scholten

            One flaw in this ruleset.

             

            I forgot to include group lookups. I will have to add this tomorrow, this can be done by adding a group lookup using LDAP.

             

            Best,

            Jon