Cisco Cisco ASA 5515-X Adaptive Security Appliance 디자인 가이드
Design Guide
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 53
the certificates, the only common identifier is the Subject field. This field contains an identical
Distinguished Name on all three certificates.
ID Certificate
The ID Certificate contains the Key Usage fields that indicate that this certificate is to be used for
Digital Signature and Non-Repudiation. This is the only certificate that does not contain either a
SAN or EKU. This is also the only certificate signed by a CA designated as an email CA.
Signature Certificate
The Signature Certificate contains both the SAN and EKU. The SAN contains the email address of
the user and the PN. This certificate EKU also has the Smart Card Logon purpose. This is the
certificate that is used by Active Directory for Smart Card Logon. This is the only certificate that
can be used when implementing the ASA using the methods outlined in this document.
Encryption Certificate
The Encryption Certificate contains a SAN, but the SAN contains only the email address and no
PN. This certificate does not contain an EKU.
CAC and Active Directory Integration
This basic overview of the integration of CAC and Active Directory will provide simple background
information on the processes involved when Active Directory is CAC-enabled.
Smart Card Logon Overview
When the Active Directory is CAC-enabled, the user must insert a CAC into the workstation reader
and enter a PIN. The workstation then sends the PKI Credentials to the Active Directory using the
Kerberos protocol. Refer to Microsoft’s Smart Card Logon White Paper available from
http://www.microsoft.com/windows2000/docs/sclogonwp.doc
for details.
Once the user’s certificate is validated, the AD server uses the Principal Name taken from the SAN
of the Signature Certificate to search for the user in the Active Directory and gain or deny access
based on the settings found.
Implementing Windows NT Server Smart Card Logon
The basic steps in integrating CACs with Windows Active Directory are discussed in this section.
Users wishing to implement CACs with Active Directory should refer to the official documentation.
Integrate DoD PKI CAs into MS Enterprise Root
To enable the AD to recognize and validate CAC certificates, all of the DoD PKI Root and
Intermediate CAs must be imported into the Enterprise Root CA and the NT Authorized CA.
Note:
While this integration requires an MS CA to be installed into the AD, the MS CA will not
be used for issuing certificates.
Enable @mil
For the user credentials, the CAC-enabled AD will use the Principal Name field in the SAN to
authenticate users. Since the Principal Name is in the form EDI/PI@mil, an alternative User
Principal Name (UPN) suffix of “@mil” must be added. This will enable all of the user names to be
changed to match the Principal Name field in the SAN of the Signature Certificate.
Individual User Settings
As discussed earlier, the AD User Principal Name must match the Principal Name field in the SAN.
This can be accomplished by changing the Logon Name of the user in the Accounts tab. To force