ASA SSLVPN trustpoints authentication certificate

Hello

I have an Asa with a few set up Trustpoints. How can I allow only the client certificates to a trustpoint in a tunnel-group? I've seen client-side settings as a profile connection or certificate-cards, but they don't stop with the right certificate authentications.

Could I send the client certificate to a RADIUS as with dot1x and check on the authentication server?

Hi Marcel,.

First of all, you can use certificate-card on the SAA for a new SSL session link to the connection profile desired.

However as you said, the ASA will validate a certificate issued by a certification authority (the one for which you have the certification authority in a trustpoint), providing it is indeed valid and optional check CRL alright.

If for some reason you have a scenario where you want to deny access SSLVPN to users who have a valid certificate issued by a given CA, you can use the card-certificate to bind these new SSL sessions to a "dead end" connection profile that has the maximum session set to 0:

Example config:

! first set the group policy and profile to catch these sessions that should not have access:

internal DeadEnd_GP group strategy

attributes of Group Policy DeadEnd_GP

VPN - concurrent connections 0

client ssl-VPN-tunnel-Protocol

remote access to tunnel-group DeadEnd type

tunnel-group DeadEnd General attributes

Group Policy - by default-DeadEnd_GP

tunnel-group DeadEnd webvpn-attributes

authentication certificate

! Then, set the criteria of certificate card, mapping of certificates to a 'good' profile:

Crypto ca certificate card mycertmap 10

name of the issuer attr cn eq myIssuer

Crypto ca certificate card mycertmap 20

! This rule is a rule of 'catch-all '.

! Finally, define the mapping in the section overall webvpn:

WebVPN

Certificate-Group-map mycertmap 10 myProfile1

Certificate-Group-map mycertmap 20 DeadEnd-profile

--

Note that:

1. in the configuration of certificate card, your ASA will request certificates for SSL connections client-side. If you also have AAA only authenticated profiles, maybe that's a problem - I'm not sure it will work 100% ok, I would need to test.

2. If you use ASDM, you will find the definition of certificate card in the menu

Setup > remote access VPN > advanced > certificate Anyconnect and Clientess SSL VPN connection profile cards

===

Secondly, on the use of RADIUS - it is not possible to send the certificate itself to RADIUS (AFAIK), but you can use Radius authorization as an extra step after the validation of the certificate.

The ASA will extract everything first a username of the client certificate subject name - it is configurable, and can even be in Lua script.

A Radius access request is sent to extract username - then you will probably need the user to exist on the Radius server.

In ASDM, you will find this configuration by the connection profile, in advanced, subsection authorization of editing connection profile.

You may be interested in research in this guide explaining a use case where this authority has been used to allow only certain users who have had a certificate from a national public key infrastructure:

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00808e00ec.shtml

In step 6, point L, the authorization is configured.

It's a pretty old guide remains real, you will see that it uses the LOCAL server for authorization, but apart from that it's the same principle.

===

I hope this helps, please let us know.

See you soon,.

Chris

Tags: Cisco Security

Similar Questions

  • Authentication card smart - authentication certificate user

    I am developing an authentication solution for BlackBerry based on cryptographic SIM cards. I managed to create a pilot smart card reader and a driver of smart card using the RIM Crypto API. The use of these two, I'm able to import a
    certificate stored on the SIM card, enable the authentication of users in two phases that checks the password device and the STEM to the certificate. I can also set up a TLS session using private keys and certificates stored on the card.

    However, when you try to activate the "Authentication certificate" option in the password options panel, I encounter a problem. After selection of the certificate and click on save, the device asks me to enter the password device and the PIN smart card, what I'm doing. Debugging tells me, that the PIN is properly checked with the card. Subsequently, a 'Card access smart' popup appears with information that the 'Options' of RIM application attempts to access the card with the information "the private key will be used to initialize authentication certificate". When I enter PIN code OK, I said: 'failed to initialize authentication certificate. Check that the certificate is not on the smart card used for two-factor authentication. »

    Can someone tell me why this is? Must the certificate be special in some way (content, restriction of the use of the key etc.)? The certificate is obviously present on the map, as there is for example a client certificate for TLS sessions setting. Also, what makes this "initialization" all of the average of certificate?

    Well, I think I'll answer myself that I managed to solve this problem

    After some debugging I realized that:

    • After the second PIN prompt appears, the method of signRSA (net.rim.device.api.crypto.RSACryptoSystem, net.rim.device.api.crypto.CryptoTokenPrivateKeyData, byte [], byte [], int, int, java.lang.Object) in our RSACryptoToken extension is called
    • This method gets a context (last parameter) object, which is a SmartCardSession
    • during the processing of the request of sign (cf. the smart card and examples of smart card of RIM drive) must not create an another smart card session, but instead reuse the provided in the framework.

    Trying to establish a new session of chip due to the demand to block, because the sessions are exclusive, i.e. only can be opened simultaneously.

  • Dot1x in ISE authentication certificate more

    Hi all

    Can someone help me to configure Dot1x more authentication of the certificate in the box of the ISE. We have the ISE 3315 with 1.1.1 version to configure certificate based authentication.  The idea behind is that we want to restrict access to the device that do not belong to the personal active average active employee company must limit if they try to connect to the corporate network.

    How can we configure dot1x more basic authentication certificate in the ise cisco box?

    Can someone help me out to solve this kind of problem?

    Thank you

    Pranav

    Pranav,

    Here are the steps by activating / verfying if the machine authentication is enabled on the Win7 clients:

    http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/thread/5e1bbaa4-9dad-40DA-8e53-a7d67e17c20b/

    Also here are the steps in the configuration of the timer to cache for machine access restrictions to ISE

    http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158

    Here is some information on how EHT applies access restrictions machine:

    http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684

    In your political permission for domain users, you need to add the condition "authenticated machine was" and that the true value.

    Tarik Admani
    * Please note the useful messages *.

  • Cisco ASA AnyConnect SSL VPN - certificates + token?

    Hello

    I'm looking for an answer is it possible such configuration:

    The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

    I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

    Thank you very much for the help!

    Hi Alex,

    I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

    https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

    Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

    http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

    It may be useful

    -Randy-

  • AnyConnect: User based authentication certificate filtering Configuration

    Hello colleagues in the network.

    recently I needed to configure AnyConnect SSL VPN with certificate authentication to meet the needs of connection at the request of the features of Cisco Jabber.

    Everything is ok, but I need to filter users based on their personal certificate information. For example - all those who have a personal certificate from our CA can now access this VPN. I want to set the users by e-mail of the certificate and only these users are granted access.

    I used this command:

    WebVPN

    allow outside

    AnyConnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

    AnyConnect enable

    tunnel-group-list activate

    Certificate-Group-map Cert - filter 10 company-Jabber

    map of encryption ca Cert certificate - filter 10

    name of the object attr eq ea [email protected] / * /

    The problem is that I have to go can visit his profile - if I change [email protected] / * / to

    On the AnyConnect client - I connect to the GroupURL of the connection profile Company-Jabber

    Hi Alexandre

    There are several ways to approach this and this depends somewhat on the rest of the config, for example if you have other groups of tunnel etc..

    I guess the easiest way (if it does not interfere with the rest of your configuration) is to add something like this:

    crypto ca certificate map Cert-Filter 65535 subject-name ne ""

    This would attract all users/certificates does not not from your previous rules.

    Under webvpn you map these users to another tunnel-group (connection profile):

    certificate-group-map Cert-Filter 65535 NoAccess

    And configure the NoAccess group so that access is denied (for example, by setting simultaneous connections to 0 in the corresponding Group Policy).

    Other means would be to use DAP (dynamic access policies) to pretty much the same as the certmap, or permission to LDAP (for example retrieves the user name for the certificate, then perform an LDAP search to see if the user is allowed to use the VPN - in this scenario, there is no need to list all the users on the ASA but for example you need to create a new group on your LDAP server that contains all VPN users).

    Let me know if you want to go further in the foregoing

    see you soon

    Herbert

  • authentication certificate "don't ask again"

    I connect to a remote server using MS Server 2008 R2 of the House using a laptop Win7 and remote desktop. During the connection process, I am presented with a certificate of authentication failure message to which I respond usually "do it anyway". Last night as I clicked in the box 'Do not ask again' and now I can't connect at all. I see an error message saying: the server is not available or is turned off, etc..

    Anyone know how I can "reactivate" the failure of original certificate message?

    Carol

    This issue is beyond the scope of this site and must be placed on Technet or MSDN

    http://social.technet.Microsoft.com/forums/en-us/home

    http://social.msdn.Microsoft.com/forums/en-us/home

  • Is there a method to determine the Anyconnect client types and quantities that connect to the ASA sslvpn?

    We need to determine the distribution of different Anyconnect sslvpn, connecting clients to our ASA hub. Is there a method, either in the ASDM or CLI (or syslog) to determine the type of customer and the meter (for example the Android and iOS vs Windows vs Linux)?

    There are 'user agent' field in vpn-sessiondb. You can check via ASDM or

     show vpn-sessiondb det anyconnect

    If my memory is good. (Exact symptom depends on version)

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/ASA-command-reference/...

  • Authentication certificate ACS 5.1 Administrator?

    Is it possible to authenticate ACS directors [web INTERFACE] by client certificate in the ACS 5.1?

    This link is for 4.x, which is a different product to 5.x.

    Current administrator authentication is made by name of user and password only.

    The certificate can be changed, but this only changes the present certificate to the

    the user because they are logging in the TAS.

    -Jesse

  • Cisco ASA and AnyConnect VPN certificate error

    Hello

    I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:

    I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?

    Hello

    This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
    Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.

    Here is a document that you can refer to create a self-signed certificate.
    https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN

    Kind regards
    Dinesh Moudgil

    PS Please note the useful messages.

  • Several protocols on ASA single multifactor authentication?

    We currently use the AnyConnect client combined with SecurID from RSA to multifactor authentication for Windows laptops.

    We plan to do some portable computers that do not support the software AnyConnect (for example Chromebooks).

    Chromebook supports VPN using L2TP/IPsec + preshared key or certificate of the user and their user ID and static password.  There is no user interface provided type of token and SecurID PIN code so SecurID is not supported.

    If the native VPN client connection was combined with something like Microsoft Phonefactor Azure Multifactor authentication or Duosecurity operating RADIUS, it would via automated phone call multifactor authentication, SMS or a smartphone app, and the device of Chromebook end user has no need to 'support' directly from this authentication happens on the main server.  All the user needs is the pre-shared key, or name of certificate and username, password and access to their phone.  They connect with their user name and password and then get an automated phone call or text they need to answer to until authentication is allowed.

    Can RSA SecurID and multifactorial authentication Azure times be supported in the same time, so AnyConnect use RSA and users without AnyConnect use Azure?

    You should be able to do it with different connection profiles, each with their own primary and secondary authentication method.

    A (unique) given profile can use only one set of primary and secondary authentication methods.

    Either by the way, I used the Duosecurity solution for remote access to a VPN client and thought it was very well done.

  • Authentication certificate has expired or is not valid

    Get the error connection PC with remote access, error: "authentication".

    Certificate from the remote computer has expired or is not valid. »

    Hi Chandan,

    You can ask your question here to improve the assistance:

    http://social.technet.Microsoft.com/forums/en-us/category/w7itpro

    It will be useful.

  • Configuration of the ASA to ISA authentication proxy support

    I have an ASA configured for internet and remote vpn termination. I would use a proxy for remote access vpn clients ISA authentication. Configure this support on the SAA?

    Topology: Inside ===> ISA ===> ASA ===> Internet network

    David,

    Given that this is a forum of Cisco (I can google it, but I'd rather have a recording directly in a thread), can you tell me what is the role of proxy of the ISA authentication? And how it works.

    Normally proxy authentication (auth-proxy on the router and passage of a proxy in the firewalls) are transparent to other devices in the network on the network.

  • Cisco ASA, RDP plugin authentication

    Hello

    I installed an ASA 5505 (8.0.3) with WEBVPN. I managed to do all this work with SSO (Single Sign On) with the exception of the rdp session terminal. OWA, sharepoint, filebrowsing, SSO is no problem, but I don't seem to make it work with RDP. Somehow it does not translate the rdp session variables. I use CSCO_WEBVPN_USERNAME and CSCO_WEBVPN_PASSORD, but they appear just like that in the name of user and password field. Is it possible to do SSO works for RDP?

    Ofwegen, just to let you know that I do not use a server single signon, auto just signon, and I got it works with the rdp plugin by editing the bookmarks to have the "csco_sso = 1" option in there:

    RDP://myterminalserver/?csco_sso=1

    This works for RDP and ICA plugins.

  • Certificates for IPSEC vpn in ASA 8.0 clients

    Hello!

    I have configured MS CA and I have setup client vpn and ASA 7.0 make tunnel with certificates.

    Same configuration does not work with ASA 8.0 I get the error

    CRYPTO_PKI: Check whether an identical cert is

    already in the database...

    CRYPTO_PKI: looking for cert = d4bb2888, digest = handle

    B8 74 97 f3 bf 25 1 c e5 2nd e5 21 3rd d1 93 15 d6 |... t...%...! >....

    CRYPTO_PKI: Recording of Cert not found, return E_NOT_FOUND

    CRYPTO_PKI: Cert not found in the database.

    CRYPTO_PKI: Looking for suitable trustpoints...

    CRYPTO_PKI: Found a suitable trustpoint authenticated A1.

    CRYPTO_PKI (make trustedCerts list) CRYPTO_PKI:check_key_usage: KeyUsage Incorrect

    (40)

    CRYPTO_PKI: Validation of certificate: State failure: 1873. Any attempt of recovery

    If necessary revocation status

    ERROR: Certificate validation failed. Peer certificate's key usage is not valid, ser

    Number of the IAL: 250F3ECE0000000009AF, name of the object: cn = xxxxx, unit of organization = xxxx, o = xxxxx, c =

    XX

    CRYPTO_PKI: Certificate not validated

    Why the use of the key is invalid? What model of certificate must be used in MS in order to get a regular use of the key?

    The schooling of CA's Terminal.

    Thank you!

    The cert needs to have defined Digital Signature key usage.

    Don't know what models are available on MS, but it should be something like "User Ipsec" I guess.

    Make 8 ASA behave like ASA 7 (i.e. disable th control on the use of the key of the cert), configure:

    Crypto ca trustpoint

    ignore-ipsec-keyusage

  • Dynamic to static IPSec with certificate-based authentication

    I'm trying to implement a dynamic to static LAN2LAN vpn from an ASA 5505 (with a dynamic IP address) to an ASA5520 (with a static IP address)
    I wish I had a small (/ 30) network on the side dynamics which I can connect to a larger (/ 24) network on the static side.
    I also try to use the identity for authentication certificates.

    I produced a root and intermediate CA signed of the intermediate CA with the certificate authority root and then created identity cases for
    the ASAs, signed with the intermediate CA using OpenSSL and imported to a trustpoint

    I tried to use the instructions on:
    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml
    to configure certificates (replacing MS with OpenSSL) and following the instructions to:

    I tried the ASDM to set up the cert to identity appropriate on the external interface
    [Configuration-> Device Management-> advanced-> SSL settings]

    and establish a connection profile [Configuration-> Device Management-> connection profiles] on both devices,
    setting the part that gets its IP via DHCP static and the side that has the IP permanently to accept dynamic.

    I apply the settings, and nothing happens.

    See the crypto isakmp just returns "there is none its isakmp.

    I don't know where to start debugging it. How can I force the side DHCP to initiate a connection?

    We are sure that both peers are using the same isakmp settings? It seems the policy that uses rsa - sig on one end uses a different Diffie-Hellman group.

Maybe you are looking for