AnyConnect: User based authentication certificate filtering Configuration
Hello colleagues in the network.
recently I needed to configure AnyConnect SSL VPN with certificate authentication to meet the needs of connection at the request of the features of Cisco Jabber.
Everything is ok, but I need to filter users based on their personal certificate information. For example - all those who have a personal certificate from our CA can now access this VPN. I want to set the users by e-mail of the certificate and only these users are granted access.
I used this command:
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
Certificate-Group-map Cert - filter 10 company-Jabber
map of encryption ca Cert certificate - filter 10
name of the object attr eq ea [email protected] / * /
The problem is that I have to go can visit his profile - if I change [email protected] / * / to
On the AnyConnect client - I connect to the GroupURL of the connection profile Company-Jabber
Hi Alexandre
There are several ways to approach this and this depends somewhat on the rest of the config, for example if you have other groups of tunnel etc..
I guess the easiest way (if it does not interfere with the rest of your configuration) is to add something like this:
crypto ca certificate map Cert-Filter 65535 subject-name ne ""
This would attract all users/certificates does not not from your previous rules.
Under webvpn you map these users to another tunnel-group (connection profile):
certificate-group-map Cert-Filter 65535 NoAccess
And configure the NoAccess group so that access is denied (for example, by setting simultaneous connections to 0 in the corresponding Group Policy).
Other means would be to use DAP (dynamic access policies) to pretty much the same as the certmap, or permission to LDAP (for example retrieves the user name for the certificate, then perform an LDAP search to see if the user is allowed to use the VPN - in this scenario, there is no need to list all the users on the ASA but for example you need to create a new group on your LDAP server that contains all VPN users).
Let me know if you want to go further in the foregoing
see you soon
Herbert
Tags: Cisco Security
Similar Questions
-
AnyConnect VPN client authentication using certificates
Guys, I'm trying to configure my ASA5505 to authenticate the AnyConnect VPN clients using certificates. I have 'Certificates' defined as my method of authentication in my AnyConnect connection profile (see screenshot), but I get 'Certificate Validation failure' whenever I try to connect. The certificate I want to use is a computer issued by my CA certificate company root (Windows Server 2008 running Active Directory Certificate Services). Screenshot of certificate is attached. I added the root certificate on the SAA, and I tried all kinds of combinations by using the corresponding certificate in the AnyConnect Client profile. Each attempt failed, and I'm having no luck finding documentation on how to proceed. Any help would be greatly appreciated!
Hello Shaun,
The problem you're describing, not be able to authenticate through certificate through Microsoft Internet Explorer, is the fact that the certificate is in the computer store. You do not want to confirm with Microsoft, but, I understand that only Microsoft Internet users explore the user store, this certificate is not available to attend the ASA via the Internet browser.
-Craig
-
Authentication card smart - authentication certificate user
I am developing an authentication solution for BlackBerry based on cryptographic SIM cards. I managed to create a pilot smart card reader and a driver of smart card using the RIM Crypto API. The use of these two, I'm able to import a
certificate stored on the SIM card, enable the authentication of users in two phases that checks the password device and the STEM to the certificate. I can also set up a TLS session using private keys and certificates stored on the card.However, when you try to activate the "Authentication certificate" option in the password options panel, I encounter a problem. After selection of the certificate and click on save, the device asks me to enter the password device and the PIN smart card, what I'm doing. Debugging tells me, that the PIN is properly checked with the card. Subsequently, a 'Card access smart' popup appears with information that the 'Options' of RIM application attempts to access the card with the information "the private key will be used to initialize authentication certificate". When I enter PIN code OK, I said: 'failed to initialize authentication certificate. Check that the certificate is not on the smart card used for two-factor authentication. »
Can someone tell me why this is? Must the certificate be special in some way (content, restriction of the use of the key etc.)? The certificate is obviously present on the map, as there is for example a client certificate for TLS sessions setting. Also, what makes this "initialization" all of the average of certificate?
Well, I think I'll answer myself that I managed to solve this problem
After some debugging I realized that:
- After the second PIN prompt appears, the method of signRSA (net.rim.device.api.crypto.RSACryptoSystem, net.rim.device.api.crypto.CryptoTokenPrivateKeyData, byte [], byte [], int, int, java.lang.Object) in our RSACryptoToken extension is called
- This method gets a context (last parameter) object, which is a SmartCardSession
- during the processing of the request of sign (cf. the smart card and examples of smart card of RIM drive) must not create an another smart card session, but instead reuse the provided in the framework.
Trying to establish a new session of chip due to the demand to block, because the sessions are exclusive, i.e. only can be opened simultaneously.
-
How does * (certificate-based authentication) work?
How does * (certificate-based authentication) work?
We do * in a company whose phones android and exchange 2010.
We use the activesync to talk to Exchange via the SSL protocol.
It works.
I am documenting HOW it works (on a rather high level).
I have some information, but would like to know what happens when exchange Gets the customer real auth cert of the device in the last part of the authentication process.
Exchanges with impatience in its entirety to RFA, since AD (or its related PKI service) created the cert?
Thank you.
Mac
This issue is beyond the scope of this site and must be placed on Technet or MSDN
-
Dynamic to static IPSec with certificate-based authentication
I'm trying to implement a dynamic to static LAN2LAN vpn from an ASA 5505 (with a dynamic IP address) to an ASA5520 (with a static IP address)
I wish I had a small (/ 30) network on the side dynamics which I can connect to a larger (/ 24) network on the static side.
I also try to use the identity for authentication certificates.I produced a root and intermediate CA signed of the intermediate CA with the certificate authority root and then created identity cases for
the ASAs, signed with the intermediate CA using OpenSSL and imported to a trustpointI tried to use the instructions on:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml
to configure certificates (replacing MS with OpenSSL) and following the instructions to:I tried the ASDM to set up the cert to identity appropriate on the external interface
[Configuration-> Device Management-> advanced-> SSL settings]and establish a connection profile [Configuration-> Device Management-> connection profiles] on both devices,
setting the part that gets its IP via DHCP static and the side that has the IP permanently to accept dynamic.I apply the settings, and nothing happens.
See the crypto isakmp just returns "there is none its isakmp.
I don't know where to start debugging it. How can I force the side DHCP to initiate a connection?
We are sure that both peers are using the same isakmp settings? It seems the policy that uses rsa - sig on one end uses a different Diffie-Hellman group.
-
AnyConnect 3.1 - the certificate on the secure gateway is not valid
Hi guys,.
I have a problem with the Anyconnect 3.1.01065.
When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.
The certificate is a signed cert self.
Woks AnyConnect 2.5 without problems.
Image of the ASA: 8.4 (2).
[27.11.2012 15:58:27] Ready to connect.
[27.11.2012 16:01:49] Contact IP_WAN.
[27.11.2012 16:01:52] Please enter your username and password.
[27.11.2012 16:02:01] User credentials entered.
[27.11.2012 16:02:02] Establish the VPN session...
[27.11.2012 16:02:03] Checking for updates to profile...
[27.11.2012 16:02:03] Checking for updates...
[27.11.2012 16:02:03] Checking for updates of customization...
[27.11.2012 16:02:03] Execution of required updates...
[27.11.2012 16:02:08] Establish the VPN session...
[27.11.2012 16:02:08] Setting up VPN - initiate the connection...
[27.11.2012 16:02:09] Disconnection in progress, please wait...
[27.11.2012 16:02:13] Connection attempt failed.
Anyone had this problem before?
Thank you very much.
Hello Cristian,
Please see this:
CSCua89091 Details of bug
the local certification authority must support the EKU and other necessary attributes
Symptom:
The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround:
Configure the cert on the customer's profilehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091
And the following:
DOC: Anyconnect supports Extended Key use specific attributes in CERT
Symptom:
When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
Use a certificate of id on the ASA with one other than «authentication server» EKU
Use a certificate of id on the client that has one another EKU that '-l' client authentication.Workaround solution:
Generate a new certificate of ID with correct extended key usagehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472
If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.
HTH.
Please note all useful posts
-
Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS
I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it. 5.2 model is much more different than what I expected. We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it. I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:
1. integrated AD
2 EAP - TLS
3 certificates
4 Microsoft CA
5. the applicant is XP SP 3
6 non-Cisco 802.1 x compatible switches (switches are not the question)
I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :). Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)? Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?
Thanks in advance.
Hello, Christopher.
I'll try to give you some tips to achieve what you want.
Additional info can be found in the user guide:
1. in the identity store / Active directory, check "enable machine authentication.
2 import a certificate for ACS
Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.
Select how you want to import the certificate, and then verify the Protocol EAP
3. Add your switches as aaa clients
Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.
4-go to access policies > Access Services and click on create a new access service.
Select the selected Type of Service and network access in the list.
Verify the identity, group mapping and authorization
5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.
You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.
If all your switches RADIUS will make eap - tls, you can change the rule
Rule-1 Ray game Default network access While in the result, you choose your service of access created in step 3.
6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS
7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity
8. check that the 'Allowed access' rule is selected in the authorization to access your service
These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.
Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.
ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.
-
Configuration of the ASA is below!
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Hello
Here's what you'll need:
permit same-security-traffic intra-interface
VPN_CLIENT_ACL standard access list allow 192.168.12.0 255.255.255.0
destination NAT (outside, outside) SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL static static source
Patrick
-
Dot1x in ISE authentication certificate more
Hi all
Can someone help me to configure Dot1x more authentication of the certificate in the box of the ISE. We have the ISE 3315 with 1.1.1 version to configure certificate based authentication. The idea behind is that we want to restrict access to the device that do not belong to the personal active average active employee company must limit if they try to connect to the corporate network.
How can we configure dot1x more basic authentication certificate in the ise cisco box?
Can someone help me out to solve this kind of problem?
Thank you
Pranav
Pranav,
Here are the steps by activating / verfying if the machine authentication is enabled on the Win7 clients:
Also here are the steps in the configuration of the timer to cache for machine access restrictions to ISE
http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158
Here is some information on how EHT applies access restrictions machine:
http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684
In your political permission for domain users, you need to add the condition "authenticated machine was" and that the true value.
Tarik Admani
* Please note the useful messages *. -
Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address
Hello!
I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Help me please! Thank you!
Hello
Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.
Thank you
swap
-
ASA SSLVPN trustpoints authentication certificate
Hello
I have an Asa with a few set up Trustpoints. How can I allow only the client certificates to a trustpoint in a tunnel-group? I've seen client-side settings as a profile connection or certificate-cards, but they don't stop with the right certificate authentications.
Could I send the client certificate to a RADIUS as with dot1x and check on the authentication server?
Hi Marcel,.
First of all, you can use certificate-card on the SAA for a new SSL session link to the connection profile desired.
However as you said, the ASA will validate a certificate issued by a certification authority (the one for which you have the certification authority in a trustpoint), providing it is indeed valid and optional check CRL alright.
If for some reason you have a scenario where you want to deny access SSLVPN to users who have a valid certificate issued by a given CA, you can use the card-certificate to bind these new SSL sessions to a "dead end" connection profile that has the maximum session set to 0:
Example config:
! first set the group policy and profile to catch these sessions that should not have access:
internal DeadEnd_GP group strategy
attributes of Group Policy DeadEnd_GP
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol
remote access to tunnel-group DeadEnd type
tunnel-group DeadEnd General attributes
Group Policy - by default-DeadEnd_GP
tunnel-group DeadEnd webvpn-attributes
authentication certificate
! Then, set the criteria of certificate card, mapping of certificates to a 'good' profile:
Crypto ca certificate card mycertmap 10
name of the issuer attr cn eq myIssuer
Crypto ca certificate card mycertmap 20
! This rule is a rule of 'catch-all '.
! Finally, define the mapping in the section overall webvpn:
WebVPN
Certificate-Group-map mycertmap 10 myProfile1
Certificate-Group-map mycertmap 20 DeadEnd-profile
--
Note that:
1. in the configuration of certificate card, your ASA will request certificates for SSL connections client-side. If you also have AAA only authenticated profiles, maybe that's a problem - I'm not sure it will work 100% ok, I would need to test.
2. If you use ASDM, you will find the definition of certificate card in the menu
Setup > remote access VPN > advanced > certificate Anyconnect and Clientess SSL VPN connection profile cards
===
Secondly, on the use of RADIUS - it is not possible to send the certificate itself to RADIUS (AFAIK), but you can use Radius authorization as an extra step after the validation of the certificate.
The ASA will extract everything first a username of the client certificate subject name - it is configurable, and can even be in Lua script.
A Radius access request is sent to extract username - then you will probably need the user to exist on the Radius server.
In ASDM, you will find this configuration by the connection profile, in advanced, subsection authorization of editing connection profile.
You may be interested in research in this guide explaining a use case where this authority has been used to allow only certain users who have had a certificate from a national public key infrastructure:
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00808e00ec.shtml
In step 6, point L, the authorization is configured.
It's a pretty old guide remains real, you will see that it uses the LOCAL server for authorization, but apart from that it's the same principle.
===
I hope this helps, please let us know.
See you soon,.
Chris
-
AnyConnect users can access internal network
Hello!
Just sat up a new Anyconnect VPN solution for a customer. It works almost perfect.
Anyconnect users can reach the internal network storage. The anyconnect users can access the internet, but nothing on the network internal.
(Deleted all the passwords and public IP addresses)
ASA 4,0000 Version 1
!
ciscoasa hostname
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address
!
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 213.80.98.2
Server name 213.80.101.3
network obj_any object
subnet 0.0.0.0 0.0.0.0
access-list SHEEP extended ip 192.168.9.0 allow 255.255.255.0 192.168.9.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
pager lines 24
Enable logging
logging of debug asdm
Within 1500 MTU
Outside 1500 MTU
mask 192.168.9.50 - 192.168.9.80 255.255.255.0 IP local pool SSLClientPool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) source Dynamics one interface
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.9.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.9.2 - 192.168.9.33 inside
dhcpd ip interface 192.168.9.1 option 3 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.3046-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal SSLClitentPolicy group strategy
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
value of server DNS 192.168.9.5
client ssl-VPN-tunnel-Protocol
the address value SSLClientPool pools
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
VPN Tunnel-group type remote access
type tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6a58e90dc61dfbf7ba15e059e5931609
: end
Looks like you got the permit vpn sysopt disable to enable:
Sysopt connection permit VPN
Also remove the dynamic NAT depending on whether you have already configured under the NAT object:
No source (indoor, outdoor) nat Dynamics one interface
Then 'clear xlate' once again and let us know if it works now.
-
ASA VPN - allow user based on LDAP Group
Hello friends
I have create a configuration to allow connection based on LDAP Group.
I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.
http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Anyone know how I can do?
Thank you
Marcio
I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:
https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide
-
How do .1x port based authentication access network through ACS
How .1x port based authentication access network through ACS.
Hello
802. 1 x can authenticate the host or by the name of username/password, or either through the MAC address of the clients (PC, printers etc.). This process is called agentless network access that can be done via Mac Auth Bypass.
In this process, the switchport 802.1 x would send the address MAC PC's connected to the server radius for authentication. If the radius server has the MAC address in its database, authentication will be successful and the PC would be granted network access.
To check the configuration on GBA 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser...
To check the configuration on a CBS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...
Kind regards
Kush
-
External LDAP user not authenticated
Hello
Using Weblogic 12.1.2 I created an Active Directory authenticator and can connect to our Windows Active Directory so that it will give the list of users, that I care to see in the 'Users and groups' tab of the Weblogic administration console. However, when I try to use my Java process authentication, it indicates that the user cannot be authenticated (LoginException java security survey). This same code works in a different environment with Active Directory configuration. If I use our weblogic user default ' local' (one who is allowed to start the server), I do not see the exception and the user is authenticated. Anyone know how I can get my "external LDAP user" to authenticate and why he would be treated differently from a 'local' user or why it would be different depending on the environment?
Thank you!
Hello
Able to connect to the weblogic console you use Active directory users.
1. check if you are able to see all the users in the Weblogic console.
Areas of security ===> myrealm ===> users and groups
2. also did you add the user or group in the global section.
Take a look at the link for the reference of AD with Weblogic configuration below.
Configuring Active Directory with Weblogic Server 10.3.6 - weblogicexpert
3. check control flags what took.
Defined as "SUFFICIENT".
It may be useful
Maybe you are looking for
-
Hello. Is it possible to remove a web site from the list "most visited"? If so, how?
I doubt, there is a way to do it, but I would like to know for sure. I connect to Gmail very often, so of course, it appears in the list of "most visited". Although he is usually a convenience for people to reach a web site visited often faster, I wa
-
Blocking browser, preventing the closure of the site
I recently came across this site: http://politie.nl.id169787298-7128265115. * .com /. It seems that the site average scam, but this one is different. It locks the browser. Cannot close the tab, the browser can't be closed either. How this will produc
-
Tecra S10 - video configuration TurboCache
Hello As you guys know now, Tecra S10 comes with a Quadro NVS 150 with 256 MB dedicated memory and beyond 1 GB of TurboCache. Thing is that I don't really need so much video ram so I thought that if there is a way to change this. So, I could increase
-
Satellite M45 - screen does not work properly
I followed the instructions at the bottom of this thread by Jimi http://forums.computers.toshiba-europe.com/forums/message.jspa?messageID=88964. I use Windows XP Home 2002 SP3, Vista then I used Jimis instructions rather than the senior son for Vista
-
Hello I've attached a photo, because it is difficult to explain, but I want to merge 2 tables 2D, but so that the empty spots do zero, is there a special table VI for that? See drawing: