Re: AnyConnect and user certificates

Spryjkov · ‎04-09-2019

Hi all,

To connect to a AnyConnect VPN, we use USB tokens and smart cards. These tokens / cards often store several certificates of user for various services (VPN, Wi-Fi, mail, etc.).

Each service has its own certificate template. In the certificate template for a specific service a specific OID is indicated.

I found out that when connecting to the ASA via AnyConnect, the connection can use any of the user certificates that are present on the USB token or smart card.

But I would like ASA to allow connections only to users with a valid certificate for VPN.

I know how to check the validity of the certificate, but I don't understand how to select the VPN certificate from the multiple user certificates.

In addition, if the token or card stores a single certificate and it is not a certificate for VPN, then the ASA still allows connection.

Of course, anyone cannot connect to VPN-gateway, access to VPN is regulated by AD group membership.

But if you have membership in this group, you can connect to VPN with any valid user certificate.

In the certificate map I tried to specify the extended-key-usage parameter with OID from VPN certificate, but I did not see any changes.

Does anyone have any idea?

Is it possible to connect to the VPN using only VPN certificate if there are other certificates on the token?

Now the ASA Software Version 9.8(2), but the problem is not in the version. On earlier versions, everything worked the same.

My configuration:

crypto ca certificate map DefaultCertificateMap 10
extended-key-usage co (1.3.6.1.4.1.XXXXX.1.1)
extended-key-usage co clientauth
!
webvpn
enable INTERNET
anyconnect image disk0:/anyconnect-win-4.6.02074-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.6.02074-k9.pkg 2
anyconnect profiles VPN-PROFILE disk0:/vpn_profile.xml
anyconnect enable
tunnel-group-preference group-url
certificate-group-map DefaultCertificateMap 10 DefaultWEBVPNGroup
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (INTERNET) RA_POOL
address-pool RA_POOL
authentication-server-group RADIUS
authorization-server-group (WAN) RADIUS
accounting-server-group RADIUS
username-from-certificate UPN
authentication-attr-from-server secondary
authenticated-session-username secondary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
pre-fill-username client hide

Thanks a lot.

Mike.Cifelli · ‎04-10-2019

In your certificate map try using a different attribute from the certificate you want used/selected. For example, an alt-subject-name or subject-name. That may help you accomplish what you are looking for. HTH!

Spryjkov · ‎04-11-2019

Hello Mike,

Thanks for the idea. I also thought about it. But at the moment, the certificate templates hardly differ from each other. I think it is necessary to change the certificate template for VPN.

Are there any recommendations for creating a certificate for VPN?

Maybe I need to use some specific fields in this certificate?

Rahul Govindan · ‎04-11-2019

A few things to add. If you want the user to select only the right certificate among multiple user certificates, use the certificate matching criterion inside the Anyconnect client XML profile. This way, the right cert gets sent to the ASA. See the details on Certificate matching below:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-00000161

On the ASA, the certificate mapping is used for mapping users to tunnel-groups based on the cert sent. IF you only have 1 tunnel-group that you want the users to hit, then no point in using certificate mapping if you already have the matching done on the profile.

Spryjkov · ‎04-12-2019

Hello Rahul,

Thanks for the link.
In my AnyConnect profile, I also set up the mapping of the user's VPN certificate using the extended key, but this does not help in solving my problem.
Can try to check the certificate using the ISE or so it will be wrong?