ASA - SSL VPN with Certificate Authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2020 02:20 AM - edited 04-16-2020 02:41 AM
Hello,
I need to configure SSL VPN with certificate authentication in ASA but I am having some issues to find a detailed guide about how to do it. As far I know, I just need to specify Certificate as Authentication Method in the Profile, install the certificate in the clitn PC (each user has his own certificate) and install the root certificate in the ASA (Certificates are provided by Comodo CA). Am I missing something else? Thank you very much.
Best Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2020 03:50 AM
Which CA issued the certificates to the users, an Internal Windows CA?
If so you will need to import that CA certificate into the ASA to ensure trust between the certificate used by the client for authentication.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2020 04:36 AM - edited 04-16-2020 04:37 AM
Hi,
No, it is an external CA. So, I just need to upload the root and intermediate CA certificates in the "CA Certificates" inside Certificate Management, right? Thank you!
Best Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2020 07:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2020 01:40 AM - edited 05-04-2020 02:23 AM
Ok thank you very much. On the other hand, is there a way to specify which trustpoint is associated with the Profile? I mean, if I have 5 profiles which allow access to different users and give different access, can I configure that users with a specific Certificate are the ones which will be authenticated in the pecific profile.
I want to avoid that users with trusted certificates can access all the profiles which require Certificate Authentication. Thanks!
EDIT: I have found this: https://community.cisco.com/legacyfs/online/legacy/8/8/2/75288-ASA_LocalCA.pdf
My question now is that what if I have different Certificate issuers? Should I have to specify different Mapping criteria for each certificate? How is the behavior if I have 2 different matching criteria? Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2020 02:30 AM
Match on a unique attribute, e.g the certificate issuer, then creating different rules, each rule would map to a different tunnel-group.
This example below demonstates what you need to configure, it matches on OU (organisation unit) rather than issuer. Just create multiple rules for each mapping you require.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2020 01:15 AM
Yes, I have seen that video but I am still confused. I mean, what happens if I have two different Root certificates, and I want that users with certificate A connect to the Profile A while users with certificate B connect to the Profile B. I cannot see the relation between rules and mapping criteria.
If I create two different mapping criteria, how can I ensure that I meet the specifications commented before? I cannot see anything when creating the rule where you can specify which map criteria use specifically. Thanks.
