AnyConnect Certificate Based Authentication.

Marvin Ruiz · ‎08-27-2012

The information in this document is based on these software and hardware versions:

ASA 5510 that runs software version 8.2(2) and ASDM version 6.4(9)

Anyconnect client software version 3.0 (It will work the same for versions prior to 8.3)

Microsoft Windows 2003 server as the CA server for the scenario.

Since the ASA version in use is 8.2.x we can enable per tunnel-group certificate authentication.

(Feature in the ASA 8.2.x release, using pre-8.2.x ASA code it will require to globally enabling the certificate authentication with the command

"ssl certificate-authentication interface <interface> port <portnum>").

In order to acomplish the AnyConnect authentication using certificates the AnyConnect client should get a valid certificate from the CA server, at the

same time the ASA should have the CA Root certificate in order to properly validate the certificate of the connecting client.

1-) Make sure you have an AnyConnect image applied in the ASA firewall:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software

Click the Add button, and browse the flash for the proper image (optionally you can upload the client from the local PC).

2-) Enable anyconnect in the outside interface:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Check the box "Enable Cisco AnyConnect VPN Client or legacy SSL Client"

Then select the interface where the AnyConnect clients will be connecting to (in this example the outside interface).

The " Allow user to select connection profile" check option will allow the AnyConnect user to select the group they will be connecting to.

3-) Create a new AnyConnect connection profile:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Click the Add button, the "AnyConnect connection profile" window will open.

Give the connection profile a name and optionally a group alias.

Click the "Select" button next to the "Client Address Pools" option.

The " Select Address Pools" window will appear.

Click the "Add" button in order to create a new pool of addresses.

4-) Create a Group-policy:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Click the "Manage" button next to the "Group Policy" option in the connection profile.

Click the "Add" button in order to create the new policy.

Give the policy a name (In this example "AnyConnect-Policy") and check the "Clientless SSL VPN" and "SSL VPN Client" boxes, then click the "ok" button.

The AnyConnect group have been created at this point.

5-) Install the CA certificate in the ASA:

The CA certificate must be downloaded from the CA server and installed in the ASA.

Complete these steps in order to download the CA certificate from the CA server.

Perform the web login into the CA server CA-server with the help of the credentials supplied to the VPN server.

Click Download a CA certificate, certificate chain or CRL in order to open the window,

as shown. Click the Base 64 radio button as the encoding method, and click Download CA certificate.

Save the CA certificate with the certnew.cer name on your computer.

Go to Configuration > Remote Access VPN > Certificate Management > CA Certificates in the ASA firewall.

Click on the "Add" button, the "Install Certificate" window will open.

Click the "Browse" button next to the "Install from a file" option.

Browse to the location where you saved the CA certificate, highlight the CA certificate and click on the "Install" button.

At this point the CA certificate will be installed in the ASA fiwall and it willl be able to validate the connecting users, which user's certificate was created from the same CA server.

6-) Go back to the AnyConnect connection profiles and change the profile to use certificate authentication:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Highlight the "AnyConnect-group" profile and click the "Edit" button.

The "Edit AnyConnect Connection Profile" will open, then you will be able to select the authentication method to be "Certificate"

Click the "OK" button and then click "Apply"

(Remember to save the configuration performed)

7-) The next step would be to install the certificate in the AnyConnect client PC:

The user will need to log in into the CA server with his credentials.

Once in the CA server, the user will need to click in the "Request a certificate" option.

The user will want to select the "User Certificate" option.

At this point the CA sever will provide the user certificate to be installed.

Once the certificate is installed the user will be able to connect the AnyConnect client authenticating with the previously installed certificate

(No username and password required)

Below you will find how the configuration should look like in the CLI interface:

ip local pool AnyConnect 10.10.10.1-10.10.10.254 mask 255.255.255.0

group-policy AnyConect-policy internal

group-policy AnyConect-policy attributes

vpn-tunnel-protocol svc webvpn

tunnel-group AnyConnect-group type remote-access

tunnel-group AnyConnect-group general-attributes

address-pool AnyConnect

default-group-policy AnyConect-policy

tunnel-group AnyConnect-group webvpn-attributes

authentication certificate

group-alias AnyConnect enable

webvpn

enable outside

svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1

svc enable

tunnel-group-list enable

crypto ca trustpoint ASDM_TrustPoint0

revocation-check none

no id-usage

enrollment terminal

crypto ca authenticate ASDM_TrustPoint0

MIIEtDCCA5ygAwIBAgIQcNSMRXs696JMHFgTc+OKPjANBgkqhkiG9w0BAQUFADBV

MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY3J0YWMxFjAU

BgoJkiaJk/IsZAEZFgZ2cG5sYWIxDzANBgNVBAMTBnZwbmxhYjAeFw0xMjA2MDUy

MDAyNThaFw0xNzA2MDUyMDExNTdaMFUxEzARBgoJkiaJk/IsZAEZFgNjb20xFTAT

BgoJkiaJk/IsZAEZFgVjcnRhYzEWMBQGCgmSJomT8ixkARkWBnZwbmxhYjEPMA0G

A1UEAxMGdnBubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Wo7

iCHElRUbgGAJgsf52AxlQLmeyMTSgS2I6/hTCOmra5BkP4cUieSeWqnOAPYgGTj/

it3qGVLBjkjf2sHBUBHfIUm8nnQF2UNjTbJZVIfCAyrHoRXNDFNV6qlKFoMmi7VG

2CudXsbuC86LsFDTMkk2Y2UB/T1xUpf5TBX+uQDb7w4jIZs1DkpQBmE946lH8vyA

GHU6RdainLr/44Sa0iPjzngMdssq0QlE/8gYWr6HsAOvmKhf8RcokjqXEQ36JyAF

+N/6sqoDTYl6jXg72PuoLO/zcmu8qbY+aRQGu5tlKXVemb9FyEKOuLe/Q4PirCz1

TUHw8urOHcHCquo5PwIDAQABo4IBfjCCAXowEwYJKwYBBAGCNxQCBAYeBABDAEEw

CwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNI2q3uAQNAg

nR+BfjqEcGUZaHoNMIIBEgYDVR0fBIIBCTCCAQUwggEBoIH+oIH7hoG7bGRhcDov

Ly9DTj12cG5sYWIsQ049dnBuLXNlcnZlci0wMSxDTj1DRFAsQ049UHVibGljJTIw

S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12

cG5sYWIsREM9Y3J0YWMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/

YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY7aHR0cDovL3Zw

bi1zZXJ2ZXItMDEudnBubGFiLmNydGFjLmNvbS9DZXJ0RW5yb2xsL3ZwbmxhYi5j

cmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEHyvayVbKqT

0rwZNFBC3GAnUCDCK3kJxyjvir+T2pcCVS5KLukhTcDtr5VBOrSGsFA+zJvqB7qS

dwAvh9tKjpdb6rQKM5bo7NKii7mU71WxK8/wSupLMlNEZemvZcnaLKB2P5TGwJ0K

9LTp/rT89pvO9QbEMnRMPi0dPHQbu90sDLLBksxUfXII8qNyjjqNnVq2GDHX56Gz

DzltLTLnrL4Gb/1M9ulwO2bzNV9J7uVg6iELJDbzkHFaCNXTvQJyDsN41xETg54Y

uv6hViCXnu0SaaWi2rjVqx8pUXD7O3jrH9jnBC71cUqzv+MBvJI3th9iMMA80Gno

Rl0Ipuf7dYk=

quit

I hope this information can be helpful for you..

Marvin Ruiz · ‎09-30-2012

Hello Burhan,

The configuration for AnyConnect for mobile devices (Android, phone, Ipad, etc) will be just the same for the regular AnyConnect client.

If it is already in place for PCs, then you should be able to connect the Smartphones.

It would be good that you check if the ASA has a proper license for AnyConnect for mobiles as in the example below:

show version output:

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 5 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 250 perpetual

AnyConnect Essentials : 250 perpetual

Other VPN Peers : 250 perpetual

Total VPN Peers : 250 perpetual

Shared License : Enabled perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

UC Phone Proxy Sessions : 52 perpetual

Total UC Proxy Sessions : 52 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

In case you do not have this license enabled in the ASA you can use the following link in order to get a 90 demo license for mobile devices:

AnyConnect mobile 90 day demo license.

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

If after installing the license you still face issue I would suggest opening a case with TAC support team for further trouble shooting.

I hope this information can be helpful for you.

Best regards,

sal.mobin · ‎10-03-2012

Thank you so much Marvin.

Best regards,

Sal

dm · ‎10-03-2012

Hello!

As I undrestand certficate based authentication just checks is certificate signed by CA or not.

But if, let's say, user's ipad is lost, how to block access? I.e. how to revoce certificate?

Marvin Ruiz · ‎10-16-2012

Hello,

In case the ASA needs to check if a specific certificate is still valid, or if it has been revoked; you could configure revocation checking in the trustpoint that is used to authenticate the clients.

For further information you can check the link below:

Configuring Certificates

(About Revocation Checking section)

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/cert_cfg.html#wp1054657

I hope you find this information useful.

Best regards,

dm · ‎10-16-2012

Thank you! This is what I wanted :-)

topher1086 · ‎11-30-2012

Hi Marvin,

I have no problem setting this up with certificate authentication. We have a scenario where we have machines in different OUs and would like to assign different access rights based on that. Can we filter by fields in the certificate subject field? I could do this with no problem with the Cisco VPN client using IPSec, but it doesn't seem to work the same way with the Anyconnect SSL connection. I'd prefer to use the SSL tunneling though.

Thanks.

rsmith · ‎12-10-2012

Hi Marvin, I have two quick questions:

1: I have the Certificate set up as you outlined above, with ONE User account. I had 10 devices use this account/OTP to load the certificate on their remote devices.(These all have a similar funtion). If one of these devices gets lost, and I revoke the certificate, will the other 9 devices be revoked also, and need to re-enroll with another certificate?

2: I have created 10 NEW user accounts, they are not in use yet. Is there any way, other than revoking the original certificate, to have the clients get a new certificate with one of these unique user accounts?

Thanks! Russ

rsmith · ‎12-10-2012

One follow-up question to the above:

There are two certificates showing for the user at this time (just started deploying these devices). Both show the same Username, but the Certificate Serial Numbers are 0x2 and 0x3. Is there ANY way to determine WHICH device holds which of these Serial Numbers? (Other than Revoking one and seeing who starts screaming?)

krishnanand.yadav · ‎01-31-2013

Hi Marvin,

Wonderful explaination, I have been looking for this for a long time. This helps me improve my skills in configuring anyconnect VPN. Thanks for this post.

Ryan Liu · ‎02-08-2013

Hi Marvin,

Great document!

I have done AnyConnect VPN with certificate authentication by referencing your document.

But there is another question with Certificate to SSL VPN Connection Profile Maps.

I can create mapping rules to define different OU in certificate maps to different policy group.

But if I use a certificate which can not match any mapping rules, I will be dropped into default policy group.

Can I do something to make this situation into drop VPN connection if it can't match any mapping rule?

Thanks for your kindly sharing.

Best regards,

pratheesh.venu · ‎03-28-2013

Thank You for the wonderful document.

Please confirm if my understanding is corect:

This solution will allow the users to connect only if they a valid client certificate.

Any users without a valid client certificate wouldn't get authenticated by the ASA

Context:

I am working on a project to enable Client Certificate based authentication for an internal web site. Wondering if I can get the users to login through ASA (Anyconnect) using cleint certificate and then allow acces to the web site.

Cleint-----(client certifiate based authentication)------->ASA Any Connect---------->Web Site

Khoa Pham · ‎04-12-2013

Please review the post, pictures don't show up.

System Administrators · ‎05-14-2013

Only select images are being displayed...can we get this fixed?

Bryan Cordoba Sanchez · ‎05-14-2013

Hi Ryan Liu,

Answering your question:

Can I do something to make this situation into drop VPN connection if it can't match any mapping rule?

As you correctly described, if the certificate mapping rules don't match, the user will land in the Default Group Policy. So, if you want to drop the VPN connection for these users you can set the vpn-simultaneous-logins option to 0, that way the user will not be connected to the VPN.

This will be the changes in the configuration:

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 0

Regards,

Bryan Cordoba

alexdelangel · ‎07-14-2014

Hello friends,

Allow me to resurect an old post!

Does this solution can also be applied with Essential License? I mean with IPsec Remote Access VPN? Or this just work with Premium Licenses (SSL VPN´s)?

Regards!

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)