Filter
Top Products
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2
8-14 Virtual Private Networking
201-10301-02, May 2005
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are strings generated using encryption and authentication schemes which
cannot be duplicated by anyone without access to the different values used in the production of the
string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation
uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities
(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The
FWG114P v2 is able to use certificates to authenticate users at the end points during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, and so on.
Each CA has its own certificate. The certificates of a CA are added to the FWG114P v2 and can
then be used to form IKE policies for the user. Once a CA certificate is added to the FWG114P v2
and a certificate is created for a user, the corresponding IKE policy is added to the FWG114P v2.
Whenever the user tries to send traffic through the FWG114P v2, the certificates are used in place
of pre-shared keys during initial key exchange as the authentication and key generation
mechanism. Once the keys are established and the tunnel is set up the connection proceeds
according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FWG114P v2 obtained from the corresponding CA. If the certificate is not present in
the CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FWG114P v2 CRL regularly in order for the CA-based
authentication process to remain valid.