Configure VCS with CAC and a Smart Card Reader

Introduction

This document describes a step-by-step guide to install and use a Smart Card Reader and Common Access Card log in for use with the Cisco Video Communication Server (VCS) for organizations who require two-factor authentication to the VCS environment like banks, hospitals, or governments with secure facilities.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco Expressway Administrator (X14.0.2).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

The CAC provides required authentication so “systems” know who has gained access to their environment and what part of the infrastructure be it physical or electronic. Within the government classified environments, and other secure networks, the rules of “least privileged access” or “need to know” prevail. A log in could be used by anyone, authentication requires something which the user has, ergo the CAC, also known as the Common Access Card, came about in 2006 so that the individual would not need to have multiple devices, be they fobs, id cards or dongles to access their place of employment or systems.

What is a Smart Card?

Smart cards are a key component of the public key infrastructure (PKI) that Microsoft uses to integrate into the Windows platform because smart cards enhance software-only solutions, such as client authentication, logon, and secure email. Smart cards are a point of convergence for public key certificates and associated keys because they:

• Provide tamper-resistant storage for the protection of private keys and other forms of personal information.
• Isolate security-critical computations, which involves authentication, digital signatures, and key exchange from other parts of the system that don't have a need to know.
• Enable portability of credentials and other private information between computers at work, at home, or on the road.

The smart card has become an integral part of the Windows platform because smart cards provide new and desirable features as revolutionary to the computer industry as the introduction of the mouse or CD-ROM.  If you do not have an Internal PKI Infrastructure at the moment then you need to ensure you do this first. This document does not cover the installation of this role in this particular article but information on how to implement this can be found here: http://technet.microsoft.com/en-us/library/hh831740.aspx.

Configure

This lab assumes you have already integrated LDAP with VCS and have users that can log in with LDAP credentials.

1. Lab Equipment
2. Install the Smart Card
3. Configure Certificate Authority Templates
4. Enroll the Enrollment Agent Certificate
5. Enroll on behalf of….
6. Configure the VCS for Common Access Card

Required Equipment:

Windows 2012R2 Domain server that has these roles/installed software:

• Certificate Authority
• Active Directory
• DNS
• Windows PC with Smart Card attached
• vSEC: CMS K-Series management software to manage your Smart Card:

Versa Card Reader Software

Install the Smart Card

Smart card readers generally come with instructions on how to connect any necessary cables. Here is an example of installation for this configuration.

How to Install a Smart Card Reader Device Driver

If the smart card reader has been detected and installed, the Welcome to Windows logon screen acknowledges this. If not:

1. Connect your Smart Card to the USB Port on your Windows PC
2. Follow the on-screen directions for installing the device driver software. This requires the driver media that manufacturer of the smart card or the driver is discovered in Windows. In my case I used the manufactures driver from their download site. DON'T TRUST WINDOWS.
3. Right-click the My Computer icon on your desktop and click Manage on the submenu.
4. Expand the Services and Applications node, and click Services.
5. In the right pane, right-click Smart Card. Click Properties on the submenu.
6. On the General tab, select Automatic in the Startup Type drop-down list. Click OK.
7. Reboot your machine if the Hardware wizard instructs you to do so.

Configure Certificate Authority Templates

1. Launch Certificate Authority MMC from Administrative Tools.
2. Click or select the Certificate Templates node and select Manage.
3. Right-click or select the Smartcard User Certificate Template and then select Duplicate as shown in the image.
   
   

Domain controller Certificate Templates

4. On the Compatibility tab, under Certification Authority, review the selection and change it if needed.

Smart Card Compatibility settings

5. On the General tab:

a. Specify a name, such as Smartcard User_VCS.

b. Set the validity period to the desired value. Click Apply.

Smart Card General Time Begin Expire

6. On the Request Handling tab:

a. Set the Purpose to Signature and smartcard logon.

b. Click Prompt the user during enrollment. Click Apply.

Smart Card Request Handling

7. On the Cryptography tab, set the minimum key size to 2048.

     a. Click Requests must use one of the following providers, and then select Microsoft Base Smart Card Crypto Provider.

     b. Click Apply.

Certificate Crypto Settings

8.  On the Security tab, add the security group that you want to give Enroll access to. For example, if you want to give access to all users, select the Authenticated users group, and then select Enroll permissions for them.

Template Security

9. Click OK in order to finalize your changes and create the new template. Your new template must now appear in the list of Certificate Templates.

Template seen in domain controlling

10.  In the left pane of the MMC, expand Certification Authority (Local), and then expand your CA within the Certification Authority list. 

Right-click Certificate Templates, click New and then click Certificate Template to Issue. Then choose the newly created Smartcard template.

Issue New Template

11. After the template replicates, in the MMC, right-click or select the Certification Authority list, click All Tasks, and then click Stop Service. Then, right-click the name of the CA again, click All Tasks, and then click Start Service.

Stop then start certificate services

Enroll on the Enrollment Agent Certificate

It is recommended that you do this on a Client Machine (IT Administrators Desktop).

1. Launch MMC choose Certificates, click Add then certificates for My User Account.
   
   

Add certificates

2.  Right-click or select the Personal Node, select All Tasks and then select Request New Certificate.

Request new certificates

3. Click Next on the wizard, and then select Active Directory Enrollment Policy. Then click Next again.

Active Directory Enrollement

4. Select the Enrollment Agent Certificate, in this case, Smartcard User_VCS and then click Enroll.

Enrollment Certificate Agent

Your IT Administrators desktop is now set up as an Enrollment Station, this enables you to enroll new smartcards on behalf of other users.

Enroll on behalf of….

In order for you to now provide employees with smartcards for authentication, you need to enroll them and generate the certificate which then is imported onto the Smartcard.

Enroll on behalf of

1. Launch MMC and import the Certificates Module & Manger the certificates for My User Account.

2. Right-click or select Personal > Certificates and select All Tasks > Advanced Operations and click Enroll on behalf of...

3. On the wizard, and choose the Active Directory Enrollment Policy then click Next.

Enroll on behalf advanced

4. Select Certificate Enrollment Policy then click Next.

Enrollment policy

5. You are now asked to select the Signing Certificate. This is the enrollment certificate you requested earlier.

Select Signing Certificate

6. On the next screen, you need to browse to the certificate you would like to request and in this instance, it is Smartcard User_VCS which is the template you created earlier.

Choose the VCS Smart Card

7. Next, You need to select the user you wish to enroll on behalf of. Click browse and type in the username of the employee you wish to enroll. In this instance, Scott Lang 'antman@jajanson.local account' is used.

Choose the user

8.  On the next screen, proceed with the enrollment by clicking on Enroll. Now, insert a smartcard into your reader. 

Enroll

9.  Once you have inserted your smartcard, it's detected as follows:

Insert the Smart Card

10.  You are then asked to type in a smartcard PIN number (Default Pin: 0000).

Enter the pin

11. Finally, once you have seen the Enrollment Successful screen, you can then use this smartcard to log on to a domain-joined server, like the VCS with only the card and a known pin. However, it is not done yes, you still need to prepare the VCS to redirect authentication requests to the Smart Card and use Common Access Card to release the smartcard certificate stored on the smartcard for authentication.

Enrollment Successful

Configure the VCS for Common Access Card

Upload the Root CA to the Trusted CA Certificate list in the VCS by navigating to Maintenance > Security > Trusted CA Certificate.

2. Upload the Certificate Revocation List signed by the Root CA to the VCS. Navigate to Maintenance > Security > CRL Management.

3. Test your client certificate against your regex which pulls the username from the certificate to use for authentication against the LDAP or local user. The regex is going to match against the Subject of the certificate. This can be your UPN, Email and so on. In this lab, the email to match against the client certificate for the client certificate was used.

Subject of Client Certificate

4.  Navigate to Maintenance > Security > Client Certificate Testing. Select the client certificate to be tested, in My lab it was antman.pem, upload it to the test area. In the Certificate-based authentication pattern section under Regex to match against certificate paste your regex to be tested. Do not change the Username format field.

 My Regex:  /Subject:.*emailAddress=(?.*)@jajanson.local/m

Test your regex in VCS

Testing Results

5. If the testing is providing you with the desired results then you can click the button Make these changes permanent. This changes your regex for the Certificate-based authentication configuration of the server. In order to verify the change, navigate to that configuration, Maintenace > Security > Certificate-based authentication configuration.

6.  Enable client-based authentication by navigating to System > Administrator and then click or select drop down box to choose Client certificate-based security = Client-Based Authentication. With this setting, the user types the FQDN of the VCS server in his browser and he is prompted to choose his client account and enter the pin assigned to his Common Access Card. Then the certificate is released and he gets returned the Web GUI of the VCS server and all he needs to do is click or select the Administrator button. Then he is admitted into the server. If the options Client certificate-based security = Client-Based Validation is selected, the process is the same with the exception when the user clicks the Administrator button, he has prompted again for the admin password. Usually, the latter is not what the organization is trying to accomplish with CAC.

Enable client based authentication

Help! I am locked out!!!

If you enable the Client Based Authentication and the VCS rejects the certificate for whatever reason, you are not going to be able to log in with to the web GUI in the traditional way anymore. But, do not fret there is a way to get back into your system. The attached document can be found on the Cisco website and provides information on how to disable Client Based Authentication from root access.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.