Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5160
Views
5
Helpful
2
Replies

ASA Certificate Mappings for Anyconnect

Go to solution
Karlheinz Hagen
Level 1
Level 1

‎10-21-2014 07:24 AM - edited ‎02-21-2020 05:18 AM

Hi,

I'm using SSLVPN within a Microsoft PKI. If a cert has been issued by the CA and installed on a client device a specific connection profile is forced (via ASDM configuration  'Certificate to AnyConnect and Clientless SSL VPN Connection Profile Maps').

I started by creating a mapping to the issuer (CA) which of course isn't enough since there are other (non SSL VPN) certs issued by the CA. So I have to create a more specific rule, but I don't have a satisfying idea.

IMHO the best way would be to create a mapping to the extension 'certificate template information' which holds the OID of the cert template on the CA, but it seems that this is not supportet by the ASA (9.3(1)). I only can query the extended key usage attribute which isn't enough, either.

What is the best practise solution here?

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-21-2014 09:25 AM

The way it's recommended in the VPN training class is to have client or organizational attributes in the certificate that you map to. Examples would be CN (Common Name or the username), OU (Organizational Unit) etc.

You can then follow the process create a certificate-to-connection profile map, specify which attribute in a subject name should contain which value and finally configure a mapping between a connection profile and a connection profile map.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-21-2014 09:25 AM

The way it's recommended in the VPN training class is to have client or organizational attributes in the certificate that you map to. Examples would be CN (Common Name or the username), OU (Organizational Unit) etc.

You can then follow the process create a certificate-to-connection profile map, specify which attribute in a subject name should contain which value and finally configure a mapping between a connection profile and a connection profile map.

0 Helpful

Go to solution
Karlheinz Hagen
Level 1
Level 1
In response to Marvin Rhoads

‎10-22-2014 09:13 AM

Thanks for your reply. Your answer helped me to solve my initial question. I now use the OU and some other fields to map a certificate to a specific connection profile.

Unfortunately there is another problem which now comes up: User with a valid certificate issued by the CA (i.e. code signed cert) will not be forced to use a specific connection profile, since the mapping has been adjusted. They now can choose between all profiles which is ok for now. However if they select the 'anyconnectsslgroup' the next step of the anyconnect connection procedure will be to check if the (or any?) valid certificate is installed. If not, a challenge password is required. Since there is a valid certificate issued by the PKI CA (i.e. code signed cert) no challenge password is required.

Which certificate is beeing used at the step where the challenge password is required (or not). Is it possible to define / force a specific cert for validating?

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card