03-12-2013 07:57 PM
Is it possible to do per tunnel-group authentication on ASA 8.4.x ?
Here are the scenarios:
(1) tunnel-group_A is authenticating using Digital Certificate (PKI)
(2) tunnel-group_B is authenticating using AAA (RSA token, SecurID)
(3) tunnel-group_C is authenticating using LOCAL (AAA user define locally)
Tunnel-group_A, B and C are all using the same physical interface as Outside interface.
I tested it but it is not working the way I expected. btw, I 've already disabled "ssl certificate-authentication interface outside port 443"
Here are the test results:
If tunnel-group_A is configured with Certificate, then tunnel_group_B connection will fail, but tunnel-group_C connection is working fine.
It seems like tunnel-group_B is trying to authenticate with Certificate too, so it failed. btw, it seems authenticating using LOCAL will always work.
I understand that you can configure tunnel_group_A to do "both" Certificate and AAA, but that is not what I want.
Has anyone seen this before? Is there a way to work around it?
Thanks
Solved! Go to Solution.
03-14-2013 09:00 AM
Joe,
Yes, I would then use group-url. And I would create and XML profile with the specific URLs in the server list.
Let me know.
03-14-2013 09:42 AM
I am glad you found it helpful
Regarding the VPN Filter, check this out:
Keep me posted.
03-12-2013 10:24 PM
Hello Joe,
tunnel-group A webvpn-attributes
authentication certificate
!
tunnel-group B general-attributes
default-authentication-server RSA_SERVER
tunnel-group B webvpn-attributes
authentication aaa
!
tunnel-group C general-attributes
default-authentication-server LOCAL
tunnel-group C webvpn-attributes
authentication aaa
!
Thats how you do it for AnyConnect.
HTH.
Portu.
03-13-2013 06:55 AM
Thanks for your time and support Javier!!! That was what I did before I posted my question. It was not working, TunnelGroup B connection did not come up.
tunnel-group TunnelGroup B general-attributes
authentication-server-group SSL-VPN
!
tunnel-group TunnelGroup B webvpn-attributes
authentication aaa
btw, the "default-authentication-server" command is not available, however, "authentication-server" is available under general-attributes. I am using 8.4(2)
(config-tunnel-general)# default-authentication-server SSL-VPN
^
ERROR: % Invalid input detected at '^' marker.
Any other idea to make this work? Thanks Joe
03-13-2013 10:41 AM
Hi Joe,
I am sorry, that was a typo!
On the other hand, we need debugs to analize the issue.
Could you please attach the following ouput during the connection attempt?
debug aaa common 254
debug radius all
debug webvpn svc 254
Thanks.
Portu.
03-14-2013 06:48 AM
Hi Javier,
Thank again for your inputs and comments. Actually, the config does work, I found a problem on group-policies once I fixed that it works fine.
Questions: now that the config is working, but how does ASA know to map incoming traffic to which tunnel-group? I tried using "Certificate to SSL VPN Connection Profile Maps" but it is not clear to me how this works?
For example:
(1) If I want to map incoming traffic with "Certificate' to tunnel-group A;
(2) if I want to map incoming traffic without "Certificate" to tunnel-group B,
How to do that?
Thanks
Joe
03-14-2013 07:09 AM
Hi Joe,
That's a good question
There are two ways:
1- You could use a group-url or a group-alias to identify each connection profile, so the clients will connect directly to the specific tunnel-group. Then the ASA looks for a valid Root certificate to validate the client's certificate, if it is valid certificate then the connection will be allowed.
2- You could use certificate mapping. So you set up something like this:
CA 1: Issued by a.
CA 2: Issued by b.
tunnel-group AnyConnect_IT webvpn-attributes
authentication certificate
!
tunnel-group AnyConnect_Public webvpn-attributes
authentication certificate
!
crypto ca certificate map CERT_MAP 10
issuer-name attr cn eq a
!
crypto ca certificate map CERT_MAP 20
issuer-name attr cn eq b
!
webvpn
enable outside
anyconnect image flash:/anyconnect-win-3.1.01065-k9.pkg
anyconnect enable
certificate-group-map CERT_MAP 10 AnyConnect_IT
certificate-group-map CERT_MAP 20 AnyConnect_Public
So when the client connects, the ASA will check in the "issuer-name" attribute in the Root certificate and will associate it to the correct tunnel-group.
Let me know if you have any further questions.
Portu.
03-14-2013 07:13 AM
In case that you dont want to use a certificate:
tunnel-group AnyConnect_IT webvpn-attributes
authentication certificate
!
tunnel-group AnyConnect_Public webvpn-attributes
authentication aaa
group-alias Public enable
So they will connect directly to the tunnel-group named Public.
03-14-2013 08:24 AM
Thanks Javier!
If i use "group-alias Public enable' in your example, the user will need to "select' the group from drop-down list when they login via a clientless vpn session, right?
My end goal is that user doesn't need to make any selection when they login to ASA. If incoming traffic is "certificate" based, it will land on tunnel-group A and if it is not a "certificate" based then it will land on tunnel-group B. Can it be done?
I know group-url may work, (user needs to type in the "whole" url address) but i would like to hear your inputs.
Thanks
Joe
03-14-2013 09:00 AM
Joe,
Yes, I would then use group-url. And I would create and XML profile with the specific URLs in the server list.
Let me know.
03-14-2013 09:27 AM
Great idea Javier! thanks. Digging into a little deep in here. Is there a way to build an Access-List to filter specified VPN traffic (allow or deny) inisde the tunnel-group? and how to do it? btw, i am tunnel-all traffic inside the VPN. many thanks Joe
03-14-2013 09:42 AM
I am glad you found it helpful
Regarding the VPN Filter, check this out:
Keep me posted.
03-14-2013 11:37 AM
You are the man Javier!!! For now, I am good. Many thanks Joe
03-14-2013 11:52 AM
You are very welcome!!
Take care man
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide