08-30-2012 04:11 AM
Hi all,
does anyone have experience with clientless VPN using selfsigned certificate?
I have selfsigned certificate generadted in openssl tool. I have CA certificate imported in ASA and associated appropriate trustpoint. Then I have client certificate signed by my CA and imported into my PC(client). I can see certificate is imported properly in system (screenshot).
When I go to webvpn login page IE browser prompt me for client certificate. I choose the correct one and then I got
Internet Explorer cannot display the webpage. This is just when I configure certificate authentication on ASA.
When i create profile for LOCAL authentication (local user databse) then I can login using this local user credentials.
Below is my config:
ASA Version 8.4(2)
!
hostname asa842
domain-name asa842
enable password xxx encrypted
passwd xxx encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address dhcp
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.0.1
domain-name asa842
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN_Pool 10.143.8.33-10.143.8.62 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8443
http 172.30.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint logosCA
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa842
crl configure
crypto ca certificate chain logosCA
certificate ca 00e01674de882061dc
30820686 3082046e a0030201 02020900 e01674de 882061dc 300d0609 2a864886
f70d0101 05050030 8188310b 30090603 55040613 02435a31 17301506 03550408
....
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 42133f50
308201d5 3082013e a0030201 02020442 133f5030 0d06092a 864886f7 0d010105
0500302f 310f300d 06035504 03130661 73613834 32311c30 1a06092a 864886f7
......
quit
telnet timeout 5
ssh 172.30.5.0 255.255.255.0 outside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl certificate-authentication interface outside port 443
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value asa842
username xxx password xxx encrypted privilege 15
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
authorization-server-group LOCAL
username-from-certificate EA SER
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
pre-fill-username clientless
group-alias Default enable
tunnel-group Clientless_SSL_VPN type remote-access
tunnel-group Clientless_SSL_VPN general-attributes
username-from-certificate EA SER
tunnel-group Clientless_SSL_VPN webvpn-attributes
authentication aaa certificate
pre-fill-username clientless
group-alias SSL_CERT enable
: end
It is testing environment and I am trying find out how to configure ASA for certificate authentication.
Thanks in advance for any idea
Jan
09-04-2012 04:33 PM
Hi Jan,
May I know the steps you followed to install the certificate on the ASA?
Did you generate a CSR from the ASA?
"show run ssl" output?
"show crypto ca certificate" output?
"show crypto ca trustpoint" output?
Thanx.
Portu.
09-05-2012 01:43 AM
Hi Portu,
I am not using selfsigned certificate generated by ASA. I have generated selfsigned certificate via openssl to simulate external CA.
asa842# sh run ssl
ssl certificate-authentication interface outside port 443
asa842# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 42133f50
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=asa842.asa842
cn=asa842
Subject Name:
hostname=asa842.asa842
cn=asa842
Validity Date:
start date: 09:38:13 CEDT Aug 30 2012
end date: 09:38:13 CEDT Aug 28 2022
Associated Trustpoints: ASDM_TrustPoint0
CA Certificate
Status: Available
Certificate Serial Number: 00e01674de882061dc
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
ea=test@test.cz
cn=Client cert
ou=IT
o=IT
l=Brno
st=Czech Republic
c=CZ
Subject Name:
ea=test@test.cz
cn=Client cert
ou=IT
o=IT
l=Brno
st=Czech Republic
c=CZ
Validity Date:
start date: 13:59:54 CEDT Aug 29 2012
end date: 13:59:54 CEDT Aug 29 2013
Associated Trustpoints: logosCA
asa842# sh crypto ca trustpoints
Trustpoint logosCA:
Subject Name:
ea=test@test.cz
cn=Client cert
ou=IT
o=IT
l=Brno
st=Czech Republic
c=CZ
Serial Number: 00e01674de882061dc
Certificate configured.
Trustpoint ASDM_TrustPoint0:
Configured for self-signed certificate generation.
Jan
09-05-2012 05:38 AM
Good day Jan,
Please add the following command:
ssl trust-point ASDM_TrustPoint0 outside
You do not need the "ssl certificate-authentication interface outside port 443" so you could remove it.
Please let me know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide