topic Re: ASA SSL VPN with client certificates from external CA in Network Security

ASA SSL VPN with client certificates from external CA

basissmart — Mon, 11 Mar 2019 16:44:39 GMT

Hi all,

I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.

I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.

Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":

webvpn_portal.c:ewaFormServe_webvpn_login[1904]
webvpn_portal.c:http_webvpn_kill_cookie[682]
webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]
ewaFormSubmit_webvpn_login: tgCookie = 0
ewaFormSubmit_webvpn_login: cookie = c98f3940
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!
Embedded CA Server not enabled. Logging out the user.
webvpn_portal.c:ewaFormServe_webvpn_login[1904]
webvpn_portal.c:http_webvpn_kill_cookie[682]

So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?

Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".

Some highlights from the config:

crypto ca trustpoint ASDM_pfirewall01.company.tld
 enrollment terminal
 fqdn pfirewall01.company.tld
 subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik
 keypair company
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 revocation-check crl none
 enrollment terminal
 crl configure
  no enforcenextupdate
  no protocol ldap
  no protocol scep
crypto ca trustpoint ASDM_pfirwall01.company.tld
 revocation-check crl
 enrollment terminal
 no client-types
 crl configure
crypto ca certificate chain ASDM_pfirewall01.company.tld
 certificate 02
    30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 
    <snipped rest of cert>
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate ca 00e2a6f08003ded6c9
    3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 
    <snipped rest of cert>
  quit
crypto ca certificate chain ASDM_pfirwall01.company.tld
 certificate ca 00e2a6f08003ded6c9
    3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 
    <snipped rest of cert>
  quit

ssl encryption aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_pfirewall01.company.tld outside vpnlb-ip
ssl trust-point ASDM_pfirewall01.company.tld outside
ssl certificate-authentication interface outside port 1443
webvpn
 port 1443
 enable outside
 dtls port 1443
 svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
 svc enable

group-policy DenyGroup internal
group-policy DenyGroup attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol IPSec svc 
group-policy DfltGrpPolicy attributes
 dns-server value 10.26.12.20 10.26.12.21
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel_company_networks
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LDAPUsers
 default-group-policy DenyGroup
 authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 authentication certificate



I've been trying different combinations of options for this and starting to pull my hair out. Any hints would be appreciated!

Re: ASA SSL VPN with client certificates from external CA

Herbert Baerten — Wed, 02 Dec 2009 14:31:43 GMT

Check:

debug crypto ca 255

debug crypto ca mess 255

debug crypto ca trans 255

show crypto ca cert

And be sure to check the clock on the ASA, make sure the date is correct and that your client cert is not expired.

hth

Herbert

Re: ASA SSL VPN with client certificates from external CA

basissmart — Thu, 03 Dec 2009 11:25:54 GMT

Hi Herbert,

With these debug settings on, I did not get any log messages when trying to connect.

'show crypto ca cert' shows the two expected certs (the ASA's identity cert and the CA certificate).

Both ASA and client clocks are correct and synced to the same NTP server.

Note that we are not using the ASA's local CA functionality - it doesn't work in a failover configuration. So we run our own CA seperate from the ASA box and want the ASA to verify that connecting clients have certs signed by this CA.

Thanks

Re: ASA SSL VPN with client certificates from external CA

rcullum — Wed, 27 Jan 2010 14:50:29 GMT

You need to import the CA certificate into your ASA that signed your client certificate. Then tick the option Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles 'Require client certificate'. Then in your connection profile choose auth method as AAA as you are not doing cert auth. When you connect to ASA with your IE browser, you should be prompted to choose a client certificate to use for your connection to the ASA. I don't think this works for Firefox as it won't have access to your Windows certificate store. The ASA should look through all its CA trustpoints to find one that matches the CA that signed your client cert, thereby validating your identity. I have only tried this with a Windows user certificate, not a machine certificate.

Re: ASA SSL VPN with client certificates from external CA

padair000 — Wed, 27 Jan 2010 19:07:54 GMT

RCULLUM,

I am having the same problem as Snorri. I have tried what you suggest, and it works but without requiring the cert. I logged in from an isolated outside machine, and when it asked for a certificate I just hit cancel, as I had none. Then it gave me the login screen, and once I logged in using AAA, I was given the ssl vpn homepage.

SNORRI,

have you recieved any help on this. I have contacted cisco, but the person helping me is just stabbing in the dark it would appear. As RCULLUM says, the ASA should check all of its CAs first.

Thanks

Re: ASA SSL VPN with client certificates from external CA

rcullum — Fri, 29 Jan 2010 09:39:03 GMT

As a possible interim workaround, create a new ssl vpn connection profile and assign a new group policy to it. Use the Configuration > Remote Access VPN > Advanced > Certificate to SSL VPN Connection Profile Maps to map an attribute from your client cert to the new ssl vpn connection profile/policy. On the DfltGrpPolicy, set Simultaneous logins=0 which will stop any sessions.

If you don't select/have a client cert, you should get mapped to the DefaultWEBVPNGroup connection profile which uses policy DfltGrpPolicy.

If you have a cert, the attribute mapping should assign you the new connection profile & policy.

Re: ASA SSL VPN with client certificates from external CA

padair000 — Wed, 10 Feb 2010 22:14:16 GMT

RCULLUM, what I found through a long session with cisco was that I was using the wrong type of certificate. Even though the identity cerftifcate I uses was from the ipsec offline template, the client could not submit such a cert for an SSL vpn. The certificate could only be a user certificate, as given in the microsoft templates. If the ASA saw that the certificate was good for ipsec useage it would reject it. At least that is what the cisco person told me. By placing the user cert on the usb token everything seems to work now. I had one additonal problem though. That is if someone without a valid certificate tries to access the gateway they are given a logon prompt. No logons work, but I would prefer them not be given any inormation if they do not have a certificate. Ideally I would like something like a 404 error.

Re: ASA SSL VPN with client certificates from external CA

rcullum — Thu, 11 Feb 2010 13:21:12 GMT

padair000

Try enabling CSD Windows Location Settings and do a pre-login check. Do a check for a Certificate attribute. If user doesn't have that attribute, I think ASA will reject the connection before the login prompt appears.

Re: ASA SSL VPN with client certificates from external CA

DANIEL FERREIRA — Thu, 15 Jul 2010 17:04:17 GMT

Hi,

It is possible authenticate the machine and permit only access to users in AD but from specific machine.

You done the authentication with a user certificate but it is possible to use a machine certificate?

Thanks,

Daniel

Re: ASA SSL VPN with client certificates from external CA

marco.agnese — Tue, 23 Aug 2011 13:06:54 GMT

Did you ever got an answer for your question?