Re: ASA Certificate validation against custom field in certificate

is.infrastructure1 · ‎10-18-2017

Hello

Cant seem to remember what configuration allows you to validate the certificate based on a certain field.

ideally, I am looking authenticate a group of users who will have a certificate with an attribute setup. Is it possible to build a configuration in the ASA that can match a custom field in the certificate? Users that had certificates from the same PKI but didn't have the correct certificate template with the field setup would be denied to the VPN.

I think I remember a configuration in IOS that allowed you specify an attribute to be checked when validating the certificate. E.g. check the subject name contains a value when performing the validation.

Thanks

GioGonza · ‎10-18-2017

Hello @is.infrastructure1,

The feature is called "certificate mapping" and here are some links to make the configuration based on whatever requirement you want to check on the certificate:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc16

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_certs.html#37201

HTH

Gio

Rahul Govindan · ‎10-19-2017

You can have the certificate to tunnel-group mapping so that only users with valid certificates are moved to the custom tunnel-group that you create. The DefaultWebvpnGroup can then be disabled for access so that the rest of the users fall into that and get denied access.
This feature in itself does not validate the certificate based on the field/attribute. The certificate should still be valid, be issued by the right CA and not be revoked. The mapping feature just puts you into the right tunnel group before authentication.