Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7919
Views
5
Helpful
3
Replies

ASA SSLVPN certificate authentication trustpoints

Go to solution
Marcel Maeder
Level 4
Level 4

‎12-26-2012 01:54 AM

Hi

I have an Asa with a few Trustpoints configured. How can I only allow client certificates from one trustpoint in one tunnel-group? I've only seen client-side settings like the connection profile or certificate-maps, but they don't stop authentications with the wrong certificate.

Could I send the client certificate to a RADIUS like with dot1x and check it on the authentication server?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
clandrai
Cisco Employee
Cisco Employee

‎12-26-2012 04:25 AM

Hi Marcel,

First, you can use certificate-map on the ASA to link a new SSL session to the desired connection profile.

However as you observed, the ASA will validate any certificate that was issued by a trusted CA (one for which you have the CA certificate in a trustpoint), providing it is indeed valid and optional CRL check goes ok.

If for some reason you have a scenario where you want to deny SSLVPN access to users that have a valid certificate issued by a given trusted CA, you can use the certificate-map to bind those new SSL sessions to a "dead-end" connection profile that has the maximum session set to 0:

Example config:

!first define the  group-policy and profile to catch those sessions that should not gain access:

group-policy DeadEnd_GP internal

group-policy DeadEnd_GP attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-client

tunnel-group DeadEnd type remote-access

tunnel-group DeadEnd general-attributes

default-group-policy DeadEnd_GP

tunnel-group DeadEnd webvpn-attributes

authentication certificate

!Then define the certificate map criteria, mapping accepted certificates to a "good" profile:

crypto ca certificate map mycertmap 10

        issuer-name attr cn eq myIssuer

crypto ca certificate map mycertmap 20

!this rule is a "catch-all" rule

!Finally, set the mapping in the global webvpn section:

webvpn

certificate-group-map mycertmap 10 myProfile1

certificate-group-map mycertmap 20 DeadEnd-Profile

--

Note that:

1. When configuring certificate-map, your ASA will ask client-side certificates for all SSL connections. If you also have AAA-only authenticated profiles, this may be a problem - I am not 100% sure that it will work ok, I would need to test.

2. If you use ASDM, you will find the certificate map definition in menu

     Configuration > Remote Access VPN > Advanced > Certificate to Anyconnect and Clientess SSL VPN Connection Profile Maps

===

Second, about using Radius - it is not possible to send the certificate itself to Radius (AFAIK) but you can use Radius authorization as an additional step after the certificate validation.

The ASA will first extract a username from the client certificate's subject-name -  it is configurable and can even be scripted in Lua.

Then a Radius Access-request is sent for the extracted username - so you will probably need that user to exist on the Radius server.

In ASDM you will find this configuration per connection profile, in Advanced, Authorization sub-section of the connection profile edition.

You may be interested in looking into this guide explaining one use-case where such authorization was used to allow only certain users that were having a certificate from a national PKI:

     http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808e00ec.shtml

In Step 6, point L, the authorization is configured.

It is a fairly old guide but remains actual, you will see that it uses LOCAL server for the authorization but beside that it's the same principle.

===

I hope this helps, please let us know.

Cheers,

Chris

View solution in original post

3 Replies 3

Go to solution
clandrai
Cisco Employee
Cisco Employee

‎12-26-2012 04:25 AM

Hi Marcel,

First, you can use certificate-map on the ASA to link a new SSL session to the desired connection profile.

However as you observed, the ASA will validate any certificate that was issued by a trusted CA (one for which you have the CA certificate in a trustpoint), providing it is indeed valid and optional CRL check goes ok.

If for some reason you have a scenario where you want to deny SSLVPN access to users that have a valid certificate issued by a given trusted CA, you can use the certificate-map to bind those new SSL sessions to a "dead-end" connection profile that has the maximum session set to 0:

Example config:

!first define the  group-policy and profile to catch those sessions that should not gain access:

group-policy DeadEnd_GP internal

group-policy DeadEnd_GP attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-client

tunnel-group DeadEnd type remote-access

tunnel-group DeadEnd general-attributes

default-group-policy DeadEnd_GP

tunnel-group DeadEnd webvpn-attributes

authentication certificate

!Then define the certificate map criteria, mapping accepted certificates to a "good" profile:

crypto ca certificate map mycertmap 10

        issuer-name attr cn eq myIssuer

crypto ca certificate map mycertmap 20

!this rule is a "catch-all" rule

!Finally, set the mapping in the global webvpn section:

webvpn

certificate-group-map mycertmap 10 myProfile1

certificate-group-map mycertmap 20 DeadEnd-Profile

--

Note that:

1. When configuring certificate-map, your ASA will ask client-side certificates for all SSL connections. If you also have AAA-only authenticated profiles, this may be a problem - I am not 100% sure that it will work ok, I would need to test.

2. If you use ASDM, you will find the certificate map definition in menu

     Configuration > Remote Access VPN > Advanced > Certificate to Anyconnect and Clientess SSL VPN Connection Profile Maps

===

Second, about using Radius - it is not possible to send the certificate itself to Radius (AFAIK) but you can use Radius authorization as an additional step after the certificate validation.

The ASA will first extract a username from the client certificate's subject-name -  it is configurable and can even be scripted in Lua.

Then a Radius Access-request is sent for the extracted username - so you will probably need that user to exist on the Radius server.

In ASDM you will find this configuration per connection profile, in Advanced, Authorization sub-section of the connection profile edition.

You may be interested in looking into this guide explaining one use-case where such authorization was used to allow only certain users that were having a certificate from a national PKI:

     http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808e00ec.shtml

In Step 6, point L, the authorization is configured.

It is a fairly old guide but remains actual, you will see that it uses LOCAL server for the authorization but beside that it's the same principle.

===

I hope this helps, please let us know.

Cheers,

Chris

Go to solution
Marcel Maeder
Level 4
Level 4
In response to clandrai

‎12-26-2012 05:12 AM

Hi clandrai

Thank you very much for your input. I'll try the catch-all certmap together with the per-tunnel cert auth [1]. An issue with the cert-map could be that a match in cert-auth connects automatically, so users with a certificate matching the catch-all rule can't connect to an aaa tunnel-group because they can't select the right profile.

The reason that I can't use cert + aaa is the iOS on demand VPN feature, which requires certificate only authentication (AnyConnect + Jabber). (Another issue is that I only can use SCEP Legacy and that it only works on iOS but not on Windows AC 2.5.6005)

[1] https://supportforums.cisco.com/docs/DOC-8155

0 Helpful

Go to solution
SergGu
Level 1
Level 1
In response to clandrai

‎04-08-2022 05:43 AM

10 years later your suggestion about certificate-group-map still stands. Thank you very much for in depth answer. There is not much information about those features online.

0 Helpful
Customers Also Viewed These Support Documents