cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
2
Replies

Cisco IOS Remote Access VPN matching the username from the Digital Certificate - is it possible?

Hi there!

I have been trying to configure remote access VPN using digital certificates for authentication on some routers using IOS. What I want to do is authenticate the user based on the email in the subject in the certificate. The situation is as follows:

Imagine two users - userA and userB, having certs certA and certB. In my configuration so far I have an ISAKMP policy using digital signatures and a PKI trustpoint which uses external CA (OpenSSL) with no revocation check. Phase 1 goes OK and when userA(B) uses certA(B) he is able to get the Phase 1.5 prompt, authenticate further using the password stored in the router`s local database and get VPN access. What I am trying to avoid is the ability for userA to authenticate usinghis own password but with certB and vice versa. Is there a way in IOS to lock the username for Phase 1.5 authentication to some field in the digital certificate? 

I am sure this feature is available in the ASA, but what about the IOS? I am not very familiar with IKEv2 since my router does not support it, but if this is the only way to go, I might be able to find one.

I am also pasting some parts from my config:

 

aaa authentication login Mobile local
aaa authorization network Mobile local

crypto pki trustpoint PKI_TRUSTPOINT
 enrollment terminal pem
 usage ike
 revocation-check none
 rsakeypair Keypair 1024
 ! Here I found a command "authorization username subjectname ..." which I was unable to use for something fruitful.

crypto pki certificate map CERT-MAP 10
 issuer-name co Test-CA

crypto isakmp policy 100
 encr aes
 group 2

crypto isakmp identity dn

crypto isakmp client configuration group TestGroup      !Which matches the OU in the certificate
 dns 192.168.117.1
 pool MOBILEPOOL

crypto isakmp profile MOBILEPROFILE
   match identity group MOBILEVPN
   client authentication list Mobile
   isakmp authorization list Mobile
   client configuration address respond
   virtual-template 200

 

Any help would be appreciated! Thank you in advance!

Cheers!

 

 

 

2 Replies 2

Jan Rolny
Level 3
Level 3

Hello,

It should be possible from Cisco IOS Release 12.4(9)T or later as described in this article:

 

http://www.cisco.com/c/en/us/support/docs/security/ios-sslvpn/116125-configure-SSLVPN-00.html

 

Step 4. Configure Certificate Map

A certificate map is used to classify incoming VPN client connections to specific WebVPN contexts. This classification is performed based on matching criteria configured in the certificate map. This configuration shows how to check for the OU field of the end-user certificate.

Router#configure terminal
Router(config)#crypto pki certificate map cert_map 10
Router(ca-certificate-map)# subject-name eq ou = sales
Router(ca-certificate-map)#!
Router(ca-certificate-map)#crypto pki certificate map ssl-vpn 10
Router(ca-certificate-map)# subject-name eq ou = finance
Router(ca-certificate-map)#exit
Router(config)#exit

Best regards,

Jan

 

Hello, Jan, and thank you!

This is a nice article that I have come across a while ago, but it is considering webvpn.

What I am trying to achieve is bonding between the username that the user provides in phase 1.5 (xauth) and some field (e.g. email) in the subject name of the certificate used in phase 1 of IPSec negotiation. The idea here is to stop userA with certA from authenticating with userB`s credentials.

I also didn`t mention that the VPN Client I am using is Cisco VPN Client 5

Cheers!