12-26-2012 01:54 AM
Hi
I have an Asa with a few Trustpoints configured. How can I only allow client certificates from one trustpoint in one tunnel-group? I've only seen client-side settings like the connection profile or certificate-maps, but they don't stop authentications with the wrong certificate.
Could I send the client certificate to a RADIUS like with dot1x and check it on the authentication server?
Solved! Go to Solution.
12-26-2012 04:25 AM
Hi Marcel,
First, you can use certificate-map on the ASA to link a new SSL session to the desired connection profile.
However as you observed, the ASA will validate any certificate that was issued by a trusted CA (one for which you have the CA certificate in a trustpoint), providing it is indeed valid and optional CRL check goes ok.
If for some reason you have a scenario where you want to deny SSLVPN access to users that have a valid certificate issued by a given trusted CA, you can use the certificate-map to bind those new SSL sessions to a "dead-end" connection profile that has the maximum session set to 0:
Example config:
!first define the group-policy and profile to catch those sessions that should not gain access:
group-policy DeadEnd_GP internal
group-policy DeadEnd_GP attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
tunnel-group DeadEnd type remote-access
tunnel-group DeadEnd general-attributes
default-group-policy DeadEnd_GP
tunnel-group DeadEnd webvpn-attributes
authentication certificate
!Then define the certificate map criteria, mapping accepted certificates to a "good" profile:
crypto ca certificate map mycertmap 10
issuer-name attr cn eq myIssuer
crypto ca certificate map mycertmap 20
!this rule is a "catch-all" rule
!Finally, set the mapping in the global webvpn section:
webvpn
certificate-group-map mycertmap 10 myProfile1
certificate-group-map mycertmap 20 DeadEnd-Profile
--
Note that:
1. When configuring certificate-map, your ASA will ask client-side certificates for all SSL connections. If you also have AAA-only authenticated profiles, this may be a problem - I am not 100% sure that it will work ok, I would need to test.
2. If you use ASDM, you will find the certificate map definition in menu
Configuration > Remote Access VPN > Advanced > Certificate to Anyconnect and Clientess SSL VPN Connection Profile Maps
===
Second, about using Radius - it is not possible to send the certificate itself to Radius (AFAIK) but you can use Radius authorization as an additional step after the certificate validation.
The ASA will first extract a username from the client certificate's subject-name - it is configurable and can even be scripted in Lua.
Then a Radius Access-request is sent for the extracted username - so you will probably need that user to exist on the Radius server.
In ASDM you will find this configuration per connection profile, in Advanced, Authorization sub-section of the connection profile edition.
You may be interested in looking into this guide explaining one use-case where such authorization was used to allow only certain users that were having a certificate from a national PKI:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808e00ec.shtml
In Step 6, point L, the authorization is configured.
It is a fairly old guide but remains actual, you will see that it uses LOCAL server for the authorization but beside that it's the same principle.
===
I hope this helps, please let us know.
Cheers,
Chris
12-26-2012 04:25 AM
Hi Marcel,
First, you can use certificate-map on the ASA to link a new SSL session to the desired connection profile.
However as you observed, the ASA will validate any certificate that was issued by a trusted CA (one for which you have the CA certificate in a trustpoint), providing it is indeed valid and optional CRL check goes ok.
If for some reason you have a scenario where you want to deny SSLVPN access to users that have a valid certificate issued by a given trusted CA, you can use the certificate-map to bind those new SSL sessions to a "dead-end" connection profile that has the maximum session set to 0:
Example config:
!first define the group-policy and profile to catch those sessions that should not gain access:
group-policy DeadEnd_GP internal
group-policy DeadEnd_GP attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
tunnel-group DeadEnd type remote-access
tunnel-group DeadEnd general-attributes
default-group-policy DeadEnd_GP
tunnel-group DeadEnd webvpn-attributes
authentication certificate
!Then define the certificate map criteria, mapping accepted certificates to a "good" profile:
crypto ca certificate map mycertmap 10
issuer-name attr cn eq myIssuer
crypto ca certificate map mycertmap 20
!this rule is a "catch-all" rule
!Finally, set the mapping in the global webvpn section:
webvpn
certificate-group-map mycertmap 10 myProfile1
certificate-group-map mycertmap 20 DeadEnd-Profile
--
Note that:
1. When configuring certificate-map, your ASA will ask client-side certificates for all SSL connections. If you also have AAA-only authenticated profiles, this may be a problem - I am not 100% sure that it will work ok, I would need to test.
2. If you use ASDM, you will find the certificate map definition in menu
Configuration > Remote Access VPN > Advanced > Certificate to Anyconnect and Clientess SSL VPN Connection Profile Maps
===
Second, about using Radius - it is not possible to send the certificate itself to Radius (AFAIK) but you can use Radius authorization as an additional step after the certificate validation.
The ASA will first extract a username from the client certificate's subject-name - it is configurable and can even be scripted in Lua.
Then a Radius Access-request is sent for the extracted username - so you will probably need that user to exist on the Radius server.
In ASDM you will find this configuration per connection profile, in Advanced, Authorization sub-section of the connection profile edition.
You may be interested in looking into this guide explaining one use-case where such authorization was used to allow only certain users that were having a certificate from a national PKI:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808e00ec.shtml
In Step 6, point L, the authorization is configured.
It is a fairly old guide but remains actual, you will see that it uses LOCAL server for the authorization but beside that it's the same principle.
===
I hope this helps, please let us know.
Cheers,
Chris
12-26-2012 05:12 AM
Hi clandrai
Thank you very much for your input. I'll try the catch-all certmap together with the per-tunnel cert auth [1]. An issue with the cert-map could be that a match in cert-auth connects automatically, so users with a certificate matching the catch-all rule can't connect to an aaa tunnel-group because they can't select the right profile.
The reason that I can't use cert + aaa is the iOS on demand VPN feature, which requires certificate only authentication (AnyConnect + Jabber). (Another issue is that I only can use SCEP Legacy and that it only works on iOS but not on Windows AC 2.5.6005)
04-08-2022 05:43 AM
10 years later your suggestion about certificate-group-map still stands. Thank you very much for in depth answer. There is not much information about those features online.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide