diff --git a/tutorials/intune-mdm-setup-guide.mdx b/tutorials/intune-mdm-setup-guide.mdx index 1d3a2e52..237caea9 100644 --- a/tutorials/intune-mdm-setup-guide.mdx +++ b/tutorials/intune-mdm-setup-guide.mdx @@ -12,7 +12,7 @@ In this tutorial, you will configure Smallstep and Microsoft Intune to establish You will: - Connect Microsoft Entra ID to Smallstep via an Entra ID App Registration. -- Create and configure an Intune Device Collection in Smallstep +- Configure an Intune Integration in Smallstep - Configure Intune to use Smallstep as a CA Once you've completed this tutorial, your Intune certificate enrollment process will look like this: @@ -79,24 +79,20 @@ You’ve completed the App Registration setup. ## 3. Configure Smallstep In your Smallstep dashboard, -visit the **Devices** tab, -create a **+ New Collection**, -choose **Intune Windows Devices**, -and choose **Submit**. +visit the **Integrations** tab, +and choose **Intune**. -Configure the Collection with the values you gathered above: +Configure the integration with the values you gathered above: -- The tenant **Primary domain** - The App Registration **Application (client) ID** - The App Registration **Secret Value** +- The **Intune Tenant Name** (this is the tenant's primary domain) -Once the Collection is created, you'll need to make a new Account. -Choose **+ Add Account**. -Choose either Wi-Fi or VPN, depending on what you need, and select Create. +Once the integration is added, go to the Protect tab. +Choose either Wi-Fi or VPN, depending on what you need, and add a Wi-Fi or VPN resource. This tutorial assumes you are configuring EAP-TLS Wi-Fi network access. - -Once you've created the Account, open the Account details. -You cna keep this tab open as you configure Intune. +Once you've created the Wi-Fi resource, open the Wi-Fi resource details page. +You can keep this tab open as you configure Intune. To prepare for the next section: - Download your Root CA Certificate diff --git a/tutorials/vpn-client-setup-guide.mdx b/tutorials/vpn-client-setup-guide.mdx new file mode 100644 index 00000000..04840fad --- /dev/null +++ b/tutorials/vpn-client-setup-guide.mdx @@ -0,0 +1,261 @@ +--- +title: Configure Certificate-Based VPN With Smallstep +updated_at: June 3, 2024 +html_title: How to configure common VPN servers to use Smallstep for client and server certificate authentication +description: This tutorial describes how to configure Smallstep with VPN servers for a high-security, certificate-based VPN server +--- + +Smallstep supports any Remote Access VPN that offers X.509 client certificate authentication. +This includes IKEv2 VPN (using EAP-TLS), OpenVPN, and F5 SSL VPN. + +Site-to-site VPNs are not officially supported, but Smallstep can issue certificates for those. + + +The following VPN clients are covered in this document: +- [IKEv2 EAP-TLS VPN](#ikev2-eap-tls) +- [F5 SSL VPN](#f5-ssl-vpn) +- [OpenVPN](#openvpn) +- [](#cisco-meraki-anyconnect) + +## IKEv2 EAP-TLS + +IKEv2 with EAP-TLS is a common standards-based VPN authentication method +for end-user certificate-based authentication. + +VPN configurations can be created manually or using Mobile Device Management (MDM). + +General instructions for VPN configuration: +For macOS, see [Set up a VPN Connection on Mac](https://support.apple.com/guide/mac-help/set-up-a-vpn-connection-on-mac-mchlp2963/14.0/mac/14.0) +For Apple devices using MDM, see [VPN settings overview for Apple devices](https://support.apple.com/guide/deployment/vpn-settings-overview-dep2d2adb35d/web). +For Windows, see [Connect to a VPN in Windows](https://support.microsoft.com/en-us/windows/connect-to-a-vpn-in-windows-3d29aeb1-f497-f6b7-7633-115722c1009c) + + +## F5 Edge and F5 Access Clients + +Intended audience: Enterprise IT administrators +Estimated time commitment: 1 hour + +### Introduction + +In this tutorial, we will configure an F5 SSL VPN on [F5 BIG-IP® APM](https://www.f5.com/products/big-ip-services/access-policy-manager) to use Smallstep certificate-based authentication with mutual TLS. + +Client certificate management is not documented here. Client certificates could be issued to the F5 Access or Edge Client by the Smallstep app or by an MDM. + +You will need a BIG-IP® instance with Local Traffic (LTM) and Access Policy (APM) resources provisioned. + +This tutorial was tested on BIG-IP® VE v17.1.1 Build 0.2.6. + +### Overview of the setup + +For a complete setup, you will add the following to your F5 BIG-IP® configuration: + +- An Access Profile with an Access Policy that performs certificate authentication and assigns resources to clients that successfully authenticate. + + The Access Profile also contains configuration for the VPN itself, including IP lease pools and DNS settings. + +- A Virtual Server which will serve your VPN traffic. This is where you’ll configure the mutual TLS handshake for your VPN server. The Virtual Server will accept client certificates from Smallstep, and use a server certificate from Smallstep. + +### Access Profile + +The Access Profile defines the certificate authentication flow and VPN settings for F5 BIG-IP®. + +**This is just an example policy. After importing, please review and modify it as needed**. You may want a fallback authentication method, for instance, in case certificate authentication fails. Or you may want a different set of resource assignments after successful certificate authentication. + +1. Download this profile: [smallstep-vpn-profile.conf.tar.gz](https://files.smallstep.com/smallstep-vpn-profile.conf.tar.gz) +2. Go to Access → Profiles / Policies and choose Import… + - Profile name: `smallstep` + - Config File Upload: Upload smallstep-vpn-profile.conf.tar.gz + +3. Choose “Import” + +Here’s what the Access Policy will look like once imported: + +![Imported BIG IP Access Policy](/graphics/imported-access-policy.png) + +After import, you’ll need to customize your Access Profile to align with your VPN needs. Users commonly customize things like: + +- IP Lease Pool address ranges +- Compression settings (in the Network Access List) +- DNS servers and domain suffix (in the Network Access List) + +### Configuring TLS + +Next, you’ll configure the TLS handshake for your VPN. You’ll add the following: + +- CAs and Certificates for your Virtual Server + - F5 Menu: System → Certificate Management → Traffic Certificate Management → SSL Certificate List +- A Client SSL Profile + - F5 Menu: Local Traffic → Profiles → SSL → Client +- Virtual Server Configurations for ports 80 and 443 + - F5 Menu: Local Traffic → Virtual Servers + +### Certificates and Certificate Authorities + +Now let’s configure CAs and Certificates on the BIG IP. + +First, you’ll add a root of trust that will verify client certificates: + +1. Go to System → Certificate Management → Traffic Certificate Management → SSL Certificate List +2. Choose “Import…” and on the next screen, choose: + - Import Type: Certificate + - Certificate Name: `smallstep-accounts-root-intermediate` + - Certificate Source: Browse for the Intermediate and Root Cert Bundle from your Smallstep Accounts CA + - Choose Import +3. You should now see a new Certificate Bundle in the list. + +Next, you’ll configure a server certificate and private key for your virtual server’s Client SSL profile. This certificate must be issued by a root CA that will be trusted by your VPN clients when they connect. + + + +1. Create the server certificate and private key. You can do this in the Smallstep UI, or locally by running `step ca certificate`. For example: + + ```bash + $ step ca certificate vpn.example.com server.crt server.key \ + --not-after 8160h \ + --san vpn.example.com \ + --san 14.13.12.10 + ``` + +2. Combine the certificate + intermediate CA certificate and the private key into a PKCS 12 archive. You can generate a PKCS 12 archive with `step`. For example, if `server.crt` contains your server certificate and intermediate CA PEM blocks, and `server.key` contains your server private key, run: + + ```bash + $ step certificate p12 server.p12 server.crt server.key + ``` + + You’ll be asked to provide a password to encrypt the file. + +3. Next, in F5 BIG IP, go to System → Certificate Management → Traffic Certificate Management → SSL Certificate List +4. Choose “Import…” and on the next screen, choose: + - Import Type: PKCS 12 (IIS) + - Certificate and Key Name: `smallstep-vpn-server` + - Certificate and Key Source, browse for your `server.p12` PKCS 12 archive + - Enter the password you used to encrypt the PKCS 12 archive +5. Choose Import + +You should now see the EC Certificate & Key you uploaded, in the SSL Certificate List. + +### Virtual Servers + +Now you’ll associate your Access Policy to a Virtual Server + +You’ll need two Virtual Server configurations: + +- For port 80, to redirect to port 443 using the built-in redirect iRule +- For port 443, with attached profiles + +To get started, create a Client SSL profile: + +1. Go to Local Traffic → Profiles → SSL → Client +2. Create a new Client SSL Profile +3. Use the following values: + - Name: `smallstep-clientssl` + - Certificate Key Chain: Add the `smallstep-vpn-server` server certificate and private key you imported earlier + - Client Certificate: Request + - Trusted Certificate Authorities: Choose the `smallstep-accounts-root-intermediate` CA Bundle that you imported earlier. Your client certificates must be issued by this CA. + - Advertised Certificate Authorities: Same value as Trusted Certificate Authorities +4. Save the Profile + +Next, create a Connectivity Profile: + +1. Go to Local Traffic → Profiles → Services → Connectivity +2. Choose “Add…” + - Name: `smallstep-connectivity` + - Parent profile: `/Common/connectivity` +3. Ok + +Next, create the Virtual Server for port 80 + +1. Go to Local Traffic → Virtual Servers +2. Choose “Create…” +3. Use the following properties: + - Name: `smallstep-vpn-redirect` + - Provide your source address mask, eg. `0.0.0.0/0` + - Provide your destination address/mask. This may be the internal IP addresses of your F5 BIG IP. + - Service port: 80 / HTTP + - HTTP Profile (Client): http + - Add iRule **`_sys_https_redirect`** + +Finally, create a Virtual Server for port 443: + +1. Go to Local Traffic → Virtual Servers +2. Choose “Create…” +3. Use the following properties: + - Name: `smallstep-vpn` + - Provide your source and destination addresses/masks + - Service port: 443 / HTTPS + - HTTP Profile (Client): http + - SSL Profile (Client): Add the Client SSL Profile you created above + - Access Profile: Select the Access Profile you imported above + - Connectivity Profile: Select the Connectivity Profile you created above + +Your VPN configuration is now ready for testing. + +Further reading: + +- [F5: Configuring an HTTP virtual server to redirect to HTTPS using an iRule](https://my.f5.com/manage/s/article/K10090418) +- [F5’s Dev/Central](https://community.f5.com/) Community support + +--- + +### Creating an Access Profile manually + +If you want to create an Access Profile manually instead of importing one, do the following: + +### Add a Network Access List + +1. Go to Access → Connectivity / VPN → Network Access (VPN) → Network Access Lists +2. Choose “Create…” + - Name: `smallstep-na-res` + - Description: `Smallstep VPN Access` + - Customize the Customization Settings as desired +3. Choose “Finished” + +### Add an IPv4/IPv6 Lease Pool + +Add at least one lease IPv4 or IPv6 lease pool: + +1. Go to Access → Connectivity / VPN → Network Access (VPN) → IPv4 Lease Pools +2. Choose “Create…” + - Name: `smallstep-lp` + - Start IP: `192.168.133.2`, for example + - End IP: `192.168.133.254`, for example + +### Add an Access Profile + +1. Go to Access → Profiles / Policies and create an Access Profile + - Name: `smallstep-vpn` + - Profile Type: All + - Languages: Add a language + - Choose “Finish” +2. Open the access policy you just created. In the Access Policy tab, open the visual policy editor +3. Import the following Access Policy: + + If you want to create this policy manually, do the following: + + - Authentication → On-Demand Cert Auth: Dynamically initiate an SSL re-handshake and validate the received client certificate + - Choose Auth Mode: “Require” + - Leave all other settings as default + - On the “Successful” branch after “On-Demand Cert Auth”, add Authentication → Client Cert Inspection: Check the result of client certificate authentication by the Local Traffic Client SSL profile + - Leave all settings as default + - On the “Successful” branch after “Client Cert Inspection”, add Assignment → Advanced Resource Assign: + - Use the Simple Expression “Client Cert is valid” + - Add a new Resource Assignment entry + - Assign your Network Access Profile + - Save + + The Advanced Resource Assign properties should look like this: + + ![Advanced Resource Assign properties](/graphics/advanced-resource-assign.png) + + - Finally, change the fallback Ending from Advanced Resource Assign to **Allow** + +## Juniper SSL-VPN + +See [Create a Remote Access VPN—Juniper Secure Connect](https://www.juniper.net/documentation/us/en/software/jweb-srx21.3/jweb-srx/topics/task/j-web-security-ipsec-remote-access-vpn-juniper-secure-connect-creating.html) + +## Cisco Meraki AnyConnect + +- [Server docs at meraki.net](https://learning.meraki.net/#/online-courses/3def4293-8b71-406f-ae12-ab0c1028261b) +- [Client docs at meraki.net](https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Client_deployment) diff --git a/tutorials/vpn-setup-guide-azure-vng.mdx b/tutorials/vpn-setup-guide-azure-vng.mdx index 55e3c175..1c72202f 100644 --- a/tutorials/vpn-setup-guide-azure-vng.mdx +++ b/tutorials/vpn-setup-guide-azure-vng.mdx @@ -14,6 +14,8 @@ You can use an [Azure Point-to-Site VPN](https://learn.microsoft.com/en-us/azure In this tutorial, we'll set up client certificate authenticatin with Smallstep, using an IPSec IKEv2 VPN. +You will need the [`step` CLI](https://smallstep.com/docs/step-cli/installation/) tool. + ## Step-by-step instructions 1. Start by deploying a Virtual Network Gateway. Follow the steps in [Create the VPN Gateway](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#creategw) section of Microsoft's tutorial. Deploy the gateway, but do not generate any certificates yet. @@ -41,25 +43,21 @@ In this tutorial, we'll set up client certificate authenticatin with Smallstep, This file is in DER (binary) certificate format. Before you upload it to Smallstep, convert it to PEM format. - Run: + In the CLI, run: ``` step certificate format VpnServerRoot.cer_0 > VpnServerRoot.pem ``` -3. In [Smallstep](https://smallstep.com/app), create a Mobile Device Collection and add your device to it. - (If you're using the Smallstep app, a New Devices collection will be created for you when you sign in.) - -4. Now, under the Accounts tab of your Device Collection, create a VPN Account: - - * Connection type: **IKEv2 with IPSec** +3. In Smallstep's Protect tab, create a [VPN resource](https://smallstep.com/app/?next=/protect/vpn): + * VPN Server: Azure Virtual Network * Remote address: Use the server name or remote IP of your Azure VPN * Remote ID: Use the Remote ID you located earier. - * Server Certificate Roots: Choose "Upload external root" and upload the `VpnServerRoot.pem` file you created earlier. - -5. Choose "Save account" -6. Download your Smallstep Root Certificate from the Authority Settings page. -7. In Azure, follow the instructions in [Upload root certificate public key information](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#uploadfile) to add the Smallstep Root Certifcate to the Root certificates section of your VPN's Point-to-site Configuration. +4. Choose "Next" +5. Under Certificate authorities, choose "Upload external root" and upload the `VpnServerRoot.pem` file you created earlier. +6. Finish creating the resource. +7. On the VPN resource page, download your Smallstep Root Certificate for your Accounts CA. This is the CA that will authenticate your devices. +8. In Azure, follow the instructions in [Upload root certificate public key information](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#uploadfile) to add the Smallstep Root Certifcate to the Root certificates section of your VPN's Point-to-site Configuration. You're now ready to verify your VPN connection. diff --git a/tutorials/vpn-setup-guide-f5.mdx b/tutorials/vpn-setup-guide-f5.mdx index 5780e55b..4aa371f1 100644 --- a/tutorials/vpn-setup-guide-f5.mdx +++ b/tutorials/vpn-setup-guide-f5.mdx @@ -230,72 +230,3 @@ Add at least one lease IPv4 or IPv6 lease pool: - Finally, change the fallback Ending from Advanced Resource Assign to **Allow** -## Azure Virtual Network Gateway - -You can use an [Azure Point-to-Site VPN](https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about) to connect clients to your Azure virtual network. - -In this tutorial, we'll set up client certificate authenticatin with Smallstep, using an IPSec IKEv2 VPN. - -1. Start by deploying a Virtual Network Gateway. Follow the steps in [Create the VPN Gateway](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#creategw) section of Microsoft's tutorial. Deploy the gateway, but do not generate any certificates yet. - -2. Once the Gateway is deployed, gather the following properties for your Virtual Network Gateway: - - * The gateway's **Public IP Address** - * The gateway's **Remote ID** and **Root CA Certificate**. - These are loacated inside the Point-to-Site configuration settings file. - To find these values, - in the Point-to-Site Configuration tab of the Virtual Network Gateway settings, - choose **Download VPN Client**. - - When you choose "Download VPN Client", you will receive a ZIP file containing two crucial configuration parameters: - - * Your gateway's **Remote ID**, located in `Generic/VpnSettings.xml`. - The Remote ID is the value inside the `` XML tag. - It will look like this: - - ``` - azuregateway-90fe1132-27af-6789-8aa9-4993ac57dd5b-7981e7988384.vpn.azure.com - ``` - - * Your gateway's **Root CA Certificate**, located in `Generic/VpnServerRoot.cer_0` - - This file is in DER (binary) certificate format. - Before you upload it to Smallstep, convert it to PEM format. - Run: - - ``` - step certificate format VpnServerRoot.cer_0 > VpnServerRoot.pem - ``` - -3. In [Smallstep](https://smallstep.com/app), create a Mobile Device Collection and add your device to it. - (If you're using the Smallstep app, a New Devices collection will be created for you when you sign in.) - -4. Now, under the Accounts tab of your Device Collection, create a VPN Account: - - * Connection type: **IKEv2 with IPSec** - * Remote address: Use the server name or remote IP of your Azure VPN - * Remote ID: Use the Remote ID you located earier. - * Server Certificate Roots: Choose "Upload external root" and upload the `VpnServerRoot.pem` file you created earlier. - -5. Choose "Save account" -6. Download your Smallstep Root Certificate from the Authority Settings page. -7. In Azure, follow the instructions in [Upload root certificate public key information](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#uploadfile) to add the Smallstep Root Certifcate to the Root certificates section of your VPN's Point-to-site Configuration. - -You're now ready to verify your VPN connection. - -### Further reading - -Microsoft's "Configure a point-to-site VPN" tutorial provides the basis for this tutorial: - - * [Azure Portal version](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal) - * [Azure PowerShell version](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps) - - -## Juniper SSL-VPN - -See [Create a Remote Access VPN—Juniper Secure Connect](https://www.juniper.net/documentation/us/en/software/jweb-srx21.3/jweb-srx/topics/task/j-web-security-ipsec-remote-access-vpn-juniper-secure-connect-creating.html) - -## Cisco Meraki AnyConnect - -- [Server docs at meraki.net](https://learning.meraki.net/#/online-courses/3def4293-8b71-406f-ae12-ab0c1028261b) -- [Client docs at meraki.net](https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Client_deployment) diff --git a/tutorials/vpn-setup-guide-strongswan.mdx b/tutorials/vpn-setup-guide-strongswan.mdx index 3883a0c5..05b58d23 100644 --- a/tutorials/vpn-setup-guide-strongswan.mdx +++ b/tutorials/vpn-setup-guide-strongswan.mdx @@ -11,15 +11,12 @@ This configuration was tested with strongSwan 5.9.13. In this section, you'll configure strongSwan to use full EAP-TLS client authentication with Smallstep client certificates. -1. In Smallstep, under Mobile Devices, create (or go to) the Device Collection for the devices that will be VPN clients. -2. Under the Accounts tab, add a VPN Account. - - For Connection Type, choose `IKEv2 with IPSec` - - For Key Type, choose `RSA_2048` +1. In Smallstep, under the Protect tab, add a VPN resource. + - Choose strongSwan as the VPN server - Add your Remote Address and Remote ID - - Choose Save -3. Once you’ve created the VPN Account, download the Root CA Certificate from the VPN Settings page. This is the CA your clients will get certificates from. -4. Copy the Root CA certificate you just downloaded into `/etc/swanctl/x509ca/accounts_root_ca.crt` on your strongSwan servers. -5. In `/etc/swanctl/swanctl.conf`, update the [`connections..remote` section](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote) to look like: +2. Once you’ve created the VPN resource, download the Root CA Certificate from the VPN Settings page. This is the CA your clients will get certificates from. +3. Copy the Root CA certificate you just downloaded into `/etc/swanctl/x509ca/accounts_root_ca.crt` on your strongSwan servers. +4. In `/etc/swanctl/swanctl.conf`, update the [`connections..remote` section](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote) to look like: ```bash remote { @@ -31,7 +28,7 @@ In this section, you'll configure strongSwan to use full EAP-TLS client authenti You can constrain the IKE `id` to match a subject name from the certificate, if you wish. See the [strongSwan documentation](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote) for details. -6. Restart strongSwan. You now have client EAP-TLS authentication for your VPN! +5. Restart strongSwan. You now have client EAP-TLS authentication for your VPN! For testing, you can get a certificate from the Accounts CA using the Smallstep UI. Visit Certificate Manager → Authorities → Smallstep Accounts CA, and get a certificate on that page. @@ -41,10 +38,9 @@ To deploy and manage certificates for strongSwan to all your VPN clients, you ca In this section, you'll configure a strongSwan Server TLS certificate issued from your Smallstep CA. -1. Add a Virtual Machine Collection in Smallstep, for your VPN servers -2. [Install `step-agent`](https://www.notion.so/Install-the-Smallstep-agent-on-a-Linux-device-2a161d11bb244267aeeb36327c3075fb?pvs=21)on a VPN server, and make sure it is running as a service and is connected to Smallstep. -3. Add a Workload Collection for your strongSwan server, selecting Custom Client and Server as the Workload Type. -4. When creating the Workload Collection, use Advanced Settings to select the following: +1. [Install `step-agent`](https://www.notion.so/Install-the-Smallstep-agent-on-a-Linux-device-2a161d11bb244267aeeb36327c3075fb?pvs=21) on a VPN server, and make sure it is running as a service and is connected to Smallstep. +2. Add a Workload Collection for your strongSwan server, selecting Custom Client and Server as the Workload Type. +3. When creating the Workload Collection, use Advanced Settings to select the following: * Key Type: 2048-bit RSA (for maximum compatibility) * Server certificate location: `/etc/swanctl/x509/vpn.crt` * Server key location: `/etc/swanctl/private/vpn.key` @@ -53,9 +49,9 @@ In this section, you'll configure a strongSwan Server TLS certificate issued fro You may need to adjust the user, group, or file locations to match your specific OS and distribution. -5. Deploy the new Workload Collection. -6. Confirm that the Smallstep-managed certificate and private key for strongSwan appear on the VM, in `/etc/swanctl/x509/vpn.crt` and `/etc/swanctl/private/vpn.key`. These will be managed and renewed by the `step-agent` process. -7. The `vpn.crt` file is a PEM bundle containing the server certificate and the Workloads Intermediate CA certificate. **strongSwan will only read the first certificate in `vpn.crt`. So, the Intermediate CA certificate will need to be in a separate file.** +4. Deploy the new Workload Collection. +5. Confirm that the Smallstep-managed certificate and private key for strongSwan appear on the VM, in `/etc/swanctl/x509/vpn.crt` and `/etc/swanctl/private/vpn.key`. These will be managed and renewed by the `step-agent` process. +6. The `vpn.crt` file is a PEM bundle containing the server certificate and the Workloads Intermediate CA certificate. **strongSwan will only read the first certificate in `vpn.crt`. So, the Intermediate CA certificate will need to be in a separate file.** Run the following to separate the two certificates: @@ -67,7 +63,7 @@ In this section, you'll configure a strongSwan Server TLS certificate issued fro Run `step certificate inspect` to confirm that your Intermediate CA certificate was written to `/etc/swanctl/x509ca/intermediate.crt`. -8. Now let’s configure strongSwan to use your new server TLS certificate. In `/etc/swanctl/swanctl.conf`, your [`connections..local` section](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_local) should look like: +7. Now let’s configure strongSwan to use your new server TLS certificate. In `/etc/swanctl/swanctl.conf`, your [`connections..local` section](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_local) should look like: ```bash local { @@ -82,7 +78,7 @@ In this section, you'll configure a strongSwan Server TLS certificate issued fro The `id` value should match the Subject Common Name in your server certificate. -9. Restart strongSwan. +8. Restart strongSwan. You should now have server authentication enabled. diff --git a/tutorials/vpn-setup-guide.mdx b/tutorials/vpn-setup-guide.mdx index 3e348e26..7da33eee 100644 --- a/tutorials/vpn-setup-guide.mdx +++ b/tutorials/vpn-setup-guide.mdx @@ -27,15 +27,15 @@ to use Smallstep certificate authentication is broadly the same: Smallstep will need the Root Certificate for your VPN server, which it will pass along to clients for the purpose of creating a trusted connection. -5. In Smallstep, under Mobile Devices, create a Device Collection. -6. Create a VPN Account in the Device Collection, - using your VPN's Server Name (or IP address), Remote ID, and Root Certifcate +5. In Smallstep, [go to Protect -> VPN](https://smallstep.com/app/?next=/protect/vpn) and **+ Add VPN**. + You may be asked for your VPN's Server Name (or IP address), Remote ID, and Root Certifcate (if it's a non-Smallstep server ceritificate, choose "Upload external root"). -7. Once you've saved the Account, - download the Root Certificate (in PEM format) from the VPN Account page. +6. Once you've saved the VPN resource, + choose the VPN resource you just created, + and download the Root Certificate (in PEM format) from the VPN resource page. This is your Account CA. - Your devices will be issued VPN account certificates from your Account CA. -8. Finally, + Your devices will be issued VPN account certificates from this CA. +7. Finally, configure your VPN server to authenticate clients using the Account CA certificate you just downloaded from Smallstep. diff --git a/tutorials/wifi-setup-guide.mdx b/tutorials/wifi-setup-guide.mdx index 3fbf17cb..c8651271 100644 --- a/tutorials/wifi-setup-guide.mdx +++ b/tutorials/wifi-setup-guide.mdx @@ -30,7 +30,7 @@ For MDM enrollment, we have integrations and tutorials for [Jamf](https://smalls ## On this page, you'll find: -- [Create a Wi-Fi Device Collection in Smallstep](#create-a-wi-fi-device-collection-in-smallstep) +- [Protect a Wi-Fi Resource in Smallstep](#protect-a-wi-fi-resource-in-smallstep) - [Configure 802.1x EAP-TLS on any Access Point](#general-instructions-for-configuring-8021x-eap-tls-on-any-access-point) - Instructions for specific Access Points: - [Ubiquiti Unifi](#configure-8021x-eap-tls-wpa-enterprise-wi-fi-on-ubiquiti-unifi) @@ -44,29 +44,19 @@ For MDM enrollment, we have integrations and tutorials for [Jamf](https://smalls - [MikroTik](#configure-8021x-eap-tls-wpa-enterprise-wi-fi-on-mikrotik) - [Sophos UTM](#configure-8021x-eap-tls-wpa-enterprise-wi-fi-on-sophos-utm) -## Create a Wi-Fi Device Collection in Smallstep +## Protect a Wi-Fi Resource in Smallstep -Before you configure an Access Point for EAP-TLS, you need create a Smallstep Wi-Fi Account and RADIUS server. +Before you configure an Access Point for EAP-TLS, you need create a Smallstep Wi-Fi Resource. -If you haven’t already, [sign up for a Smallstep account](https://smallstep.com/signup). In your Smallstep account, you’ll want to create a Mobile Device Collection, add a Wi-Fi Account to it, and add your client devices to the collection. +If you haven’t already, [sign up for a Smallstep account](https://smallstep.com/signup) and add some devices for testing, under the Devices tab. -1. Create a Device Collection. - - [Sign into Smallstep](https://smallstep.com/app), go to the **Mobile Devices** tab, and choose **+ Add Collection**. Select **Any macOS, iPadOS, or iOS device** as the platform, and give your device collection a name. - -2. Add your device(s) to the device collection. - - Use the serial number of the device as the Device Identifier when you create it. - You can find the serial number for your device under `Settings > General > About`, - or in `About This Mac`. Make sure you click "Register Device". - -3. Create a “Wi-Fi” account in your new Smallstep Device Collection +1. [Sign into Smallstep](https://smallstep.com/app/?next=/protect/wifi). Under the Protect tab, go to Wi-Fi and Add a Wi-Fi resource. You’ll need to supply the Wi-Fi SSID you’ll use for WPA3 Enterprise and your public-facing (WAN) IP address, so our RADIUS server can identify requests from your network. -4. When you’re finished, you’ll see your RADIUS server details. Use these when you configure your Access Point. +2. When you’re finished, if you're using a Smallstep-managed RADIUS server, you’ll see your RADIUS server details. Use these details when you configure your Access Point. ## General Instructions for Configuring 802.1x EAP-TLS on any Access Point