Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
2
Replies

Defined list of certificates for WebVPNs and VPNs

ROBERTO GIANA
Level 4
Level 4

‎11-18-2010 10:07 AM

Hi

Has anybody an idea how we can limit WebVPN or VPN connectivity to a defined list of certificates?

I want to use a certificate for VPN authentication. For example a Verisign, sorry Symantec certificate. :-) But I don't want to let anybody in the world haveing a Symantec certificate into my VPN. I only want to let in users with certificates with defined attributes. For example a list of defined serialnumbers or certificate with special company O-attributes, etc.

I tried to use connection profile maps. But certificates which fail with their attributes get stil access. They just get mapped to the defaultWebVPNgroup profile, although the "default to connection profile" policy has not been enabled. And BTW: It's not possible to make a profile which is not allowed to use any kind of VPN technology. So where do you default the failed connections?

Has anybody tried that and got a solution?

Greatings

Roberto

Labels:
0 Helpful
2 Replies 2

Vikas Saxena
Cisco Employee
Cisco Employee

‎11-20-2010 12:37 AM

You can try configuring SimultaneousUsers=0 in DefaultWebVPNGroup. Since you already have the Cert maps configured the user can be pushed to defined Tunnel Groups and Group policies leaving DefaultTunnelGroup and DefaultGroupPolicy to trap all the unwanted users. Since you will have simultaneousUser=0 they will be denied connection.

However, did you try setting user authentication with certificates, that is also a good idea.

0 Helpful

ROBERTO GIANA
Level 4
Level 4
In response to Vikas Saxena

‎11-25-2010 01:53 AM

Well a clear "NoLoginAllowed" or none of the VPN protocols allowed would be nicer, rather than setting the number of allowed logins to 0. I think it should work, although it doesn’t at the moment in my lab. I have to find out why.

Trying around with the certificates I saw that accessing the WebVPN is always mapped to the "DefaultWebVPNGroup". No matter where the certificate mapping points to. Otherwise I would need to use aliases to allow the user to preselect the correct "Connection Profile". Unfortunately the certificate mapping allows only mapping a certificate to the "Connection Profile" but not to the "Group Policy".

Setting the number of SimultaneousUsers=0 on the "DfltGrpPolicy" and locking it to the "DefaultWebVPNGroup" would disable WebVPN usage at all. And specific mapping of certificates to a “Group Policy” is not supported. Just a mapping to a “Connection Profile” is supported.

What's the benefit of using aaa and certificates for authentication and authorization? As my security still depends only on the username/password used to login, meanwhile everyone with a certificate from the public CA would be allowed to try out username/passwords.

I need a way to authorize certificates with specific attributes. Otherwise certificate based authentication is only useful when the certificates come from a private, dedicated CA. Is there a way to authorize certificates externally? For example on an ACS?

0 Helpful
Customers Also Viewed These Support Documents