cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

587
Views
0
Helpful
6
Replies
Highlighted
Beginner

ASA - SSL VPN with Certificate Authentication

Hello,

I need to configure SSL VPN with certificate authentication in ASA but I am having some issues to find a detailed guide about how to do it. As far I know, I just need to specify Certificate as Authentication Method in the Profile, install the certificate in the clitn PC (each user has his own certificate) and install the root certificate in the ASA (Certificates are provided by Comodo CA). Am I missing something else? Thank you very much.

Best Regards.

6 REPLIES 6
Highlighted
VIP Mentor

Hi,
Which CA issued the certificates to the users, an Internal Windows CA?
If so you will need to import that CA certificate into the ASA to ensure trust between the certificate used by the client for authentication.

HTH
Highlighted

Hi,

No, it is an external CA. So, I just need to upload the root and intermediate CA certificates in the "CA Certificates" inside Certificate Management, right? Thank you!

Best Regards.

Highlighted

The ASA needs to trust the certificate presented by the users, so yes create a trustpoint on the ASA with the external CA certificate chain.
Highlighted

Ok thank you very much. On the other hand, is there a way to specify which trustpoint is associated with the Profile? I mean, if I have 5 profiles which allow access to different users and give different access, can I configure that users with a specific Certificate are the ones which will be authenticated in the pecific profile.

I want to avoid that users with trusted certificates can access all the profiles which require Certificate Authentication. Thanks!

EDIT: I have found this: https://community.cisco.com/legacyfs/online/legacy/8/8/2/75288-ASA_LocalCA.pdf

My question now is that what if I have different Certificate issuers? Should I have to specify different Mapping criteria for each certificate? How is the behavior if I have 2 different matching criteria? Thanks.

Highlighted

Match on a unique attribute, e.g the certificate issuer, then creating different rules, each rule would map to a different tunnel-group.

 

This example below demonstates what you need to configure, it matches on OU (organisation unit) rather than issuer. Just create multiple rules for each mapping you require.

https://www.youtube.com/watch?v=fXyXvkWo0r4

Start your free week with CBT Nuggets. https://cbt.gg/2LZhF9F In this video, Keith Barker covers what a Connection Profile is in regards to the ASA. He'll de...
Highlighted

Yes, I have seen that video but I am still confused. I mean, what happens if I have two different Root certificates, and I want that users with certificate A connect to the Profile A while users with certificate B connect to the Profile B. I cannot see the relation between rules and mapping criteria.

If I create two different mapping criteria, how can I ensure that I meet the specifications commented before? I cannot see anything when creating the rule where you can specify which map criteria use specifically. Thanks.

Content for Community-Ad