cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1462
Views
0
Helpful
6
Replies

ASA - SSL VPN with Certificate Authentication

morabusa
Level 1
Level 1

Hello,

I need to configure SSL VPN with certificate authentication in ASA but I am having some issues to find a detailed guide about how to do it. As far I know, I just need to specify Certificate as Authentication Method in the Profile, install the certificate in the clitn PC (each user has his own certificate) and install the root certificate in the ASA (Certificates are provided by Comodo CA). Am I missing something else? Thank you very much.

Best Regards.

6 Replies 6

Hi,
Which CA issued the certificates to the users, an Internal Windows CA?
If so you will need to import that CA certificate into the ASA to ensure trust between the certificate used by the client for authentication.

HTH

Hi,

No, it is an external CA. So, I just need to upload the root and intermediate CA certificates in the "CA Certificates" inside Certificate Management, right? Thank you!

Best Regards.

The ASA needs to trust the certificate presented by the users, so yes create a trustpoint on the ASA with the external CA certificate chain.

Ok thank you very much. On the other hand, is there a way to specify which trustpoint is associated with the Profile? I mean, if I have 5 profiles which allow access to different users and give different access, can I configure that users with a specific Certificate are the ones which will be authenticated in the pecific profile.

I want to avoid that users with trusted certificates can access all the profiles which require Certificate Authentication. Thanks!

EDIT: I have found this: https://community.cisco.com/legacyfs/online/legacy/8/8/2/75288-ASA_LocalCA.pdf

My question now is that what if I have different Certificate issuers? Should I have to specify different Mapping criteria for each certificate? How is the behavior if I have 2 different matching criteria? Thanks.

Match on a unique attribute, e.g the certificate issuer, then creating different rules, each rule would map to a different tunnel-group.

 

This example below demonstates what you need to configure, it matches on OU (organisation unit) rather than issuer. Just create multiple rules for each mapping you require.

https://www.youtube.com/watch?v=fXyXvkWo0r4

Start learning cybersecurity with CBT Nuggets. https://courses.cbt.gg/security In this video, Keith Barker covers what a Connection Profile is in regards to the ASA. He'll demonstrate how to map a connection profile from a certificate and then walk you through the steps you need to know to verify

Yes, I have seen that video but I am still confused. I mean, what happens if I have two different Root certificates, and I want that users with certificate A connect to the Profile A while users with certificate B connect to the Profile B. I cannot see the relation between rules and mapping criteria.

If I create two different mapping criteria, how can I ensure that I meet the specifications commented before? I cannot see anything when creating the rule where you can specify which map criteria use specifically. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: