I need to configure SSL VPN with certificate authentication in ASA but I am having some issues to find a detailed guide about how to do it. As far I know, I just need to specify Certificate as Authentication Method in the Profile, install the certificate in the clitn PC (each user has his own certificate) and install the root certificate in the ASA (Certificates are provided by Comodo CA). Am I missing something else? Thank you very much.
No, it is an external CA. So, I just need to upload the root and intermediate CA certificates in the "CA Certificates" inside Certificate Management, right? Thank you!
Ok thank you very much. On the other hand, is there a way to specify which trustpoint is associated with the Profile? I mean, if I have 5 profiles which allow access to different users and give different access, can I configure that users with a specific Certificate are the ones which will be authenticated in the pecific profile.
I want to avoid that users with trusted certificates can access all the profiles which require Certificate Authentication. Thanks!
EDIT: I have found this: https://community.cisco.com/legacyfs/online/legacy/8/8/2/75288-ASA_LocalCA.pdf
My question now is that what if I have different Certificate issuers? Should I have to specify different Mapping criteria for each certificate? How is the behavior if I have 2 different matching criteria? Thanks.
Match on a unique attribute, e.g the certificate issuer, then creating different rules, each rule would map to a different tunnel-group.
This example below demonstates what you need to configure, it matches on OU (organisation unit) rather than issuer. Just create multiple rules for each mapping you require.
Yes, I have seen that video but I am still confused. I mean, what happens if I have two different Root certificates, and I want that users with certificate A connect to the Profile A while users with certificate B connect to the Profile B. I cannot see the relation between rules and mapping criteria.
If I create two different mapping criteria, how can I ensure that I meet the specifications commented before? I cannot see anything when creating the rule where you can specify which map criteria use specifically. Thanks.