EasyVPN at ASA with Certificates for IKE profiles and AD authentication

AllertGen · ‎01-16-2015

Hello everyone.

Here is the scheme:

<End User> ----- (internet) ------ <ASA> -------- <Cisco Router with CA Server>

ASA is also giving access to the internal network (can't show it at this primitive scheme :) ). At the ASA I made a VPN server via EzVPN technology. It's uses a CA server at the another Cisco router to check users certificates for IKE and chosing profile based on it. After checking sertificate it also uses a AD to check a user.

Users are getting certificates by using a "Enroll" function at Cisco VPN client (to get a certificate they're sending a request to the Cisco router).

I have 2 problems at this solution:

1. When I'm deleting a certificate from a Cisco router (2 files from flash and via a command "crypto pki server LocCASrev revoke 0x") the user is still can use a certificate for connectin to ASA.

2. The AD authentication is ignoring a user membership. I want make so that only users with membership of "VPN_Enable" can use a ASA VPN connection.

Please, can anyone help to point a source of this 2 problems?

Here is my configuration:

1. Cisco router (problem point 1):

access-list 21 remark ----- Access to CA ------
[permited access]
access-list 21 deny any log
access-list 21 remark ----- END CA Access -----

ip http server
ip http port [port]
ip http access-class 21
no ip http secure-server
ip http timeout-policy idle 10 life 180 requests 100

crypto key generate rsa general-keys label [lable] exportable

crypto pki server [ServerName]
no grant auto
database url flash:
database level minimum
issuer-name CN=CiscoCA
lifetime crl 48
lifetime certificate 365
lifetime ca-certificate 1825
no sh
exit

And configuration of ASA:

! Certificate server settings

crypto ca trustpoint CA_TPoint
enrollment url http://[Router IP Address]:[port]/cgi-bin/pkiclient.exe
subject-name CN=ASA
serial-number
exit

crypto ca authenticate CA_TPoint
yes

crypto ca enroll CA_TPoint

! LDAP Settings

! Commented lines bellow not works with certificates configuration (problem point 2)

!ldap attribute-map ADLDAPAttMap
! map-name memberOf Group-Policy
! map-value memberOf CN=Dep1,CN=VPN_Enable VPN1
! map-value memberOf CN=Dep2,CN=VPN_Enable VPN2
!exit

aaa-server AD_LDAP protocol ldap
aaa-server AD_LDAP ([S_IF]) host [AD IP]
ldap-base-dn dc=[Domain]
ldap-group-base-dn dc=[Domain]
ldap-scope subtree
ldap-naming-attribute saMAccountName
ldap-login-password [User password]
ldap-login-dn [Domain user]
server-type microsoft
! ldap-attribute-map ADLDAPAttMap #This don't works too (problem point 2)
exit

! VPN Server Settings

! *********** Common settings

access-list ACL_SPLIT_TUNNELING remark ----- Split Tunneling for VPN connections ----------
[Internal networks]
access-list ACL_SPLIT_TUNNELING remark ----- END of Split Tunneling for VPN connections ---

tunnel-group-map enable rules

! *********** Group pools

! ---- VPN1 ----------------

ip local pool VPN1 [Pool IP 1st address]-[Pool IP last address] mask 255.255.255.255

access-list VPN_1 remark ----- ACL for VPN1 Group -----------------
[ACL for a first group]
access-list VPN_1 remark ----- END of ACL for VPN1 Group ----------

group-policy VPN1 internal
group-policy VPN1 attributes
password-storage disable
vpn-simultaneous-logins 25
vpn-idle-timeout 20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_SPLIT_TUNNELING
address-pools value VPN1
vpn-filter value VPN_1
default-domain value [Domain]
exit

tunnel-group VPN1 type remote-access

tunnel-group VPN1 general-attributes
default-group-policy VPN1
authentication-server-group AD_LDAP
exit

tunnel-group VPN1 ipsec-attributes
trust-point CA_TPoint
exit

crypto ca certificate map CERF_MAP_EzVPN 10
subject-name attr ou eq VPN1
exit

tunnel-group-map CERF_MAP_EzVPN 10 VPN1

! ---- VPN2 ----------------

ip local pool VPN2 [Pool IP 1st address]-[Pool IP last address] mask 255.255.255.255

access-list VPN_2 remark ----- ACL for VPN2 Group -----------------
[ACL for a secondt group]
access-list VPN_2 remark ----- END of ACL for VPN2 Group ----------

group-policy VPN2 internal
group-policy VPN2 attributes
password-storage disable
vpn-simultaneous-logins 25
vpn-idle-timeout 20
wins-server value [IP]
dns-server value [IP]
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_SPLIT_TUNNELING
address-pools value VPN2
vpn-filter value VPN_2
default-domain value [Domain]
exit

tunnel-group VPN2 type remote-access

tunnel-group VPN2 general-attributes
default-group-policy VPN2
authentication-server-group AD_LDAP
exit

tunnel-group VPN2 ipsec-attributes
trust-point CA_TPoint
exit

crypto ca certificate map CERF_MAP_EzVPN 20
subject-name attr ou eq VPN2
exit

tunnel-group-map CERF_MAP_EzVPN 20 VPN2

! *********** All other common settings

crypto ipsec ikev1 transform-set easyvpn esp-3des esp-md5-hmac
crypto dynamic-map VPN_CRMAP 10 set ikev1 transform-set easyvpn
crypto dynamic-map VPN_CRMAP 10 set reverse-route
no crypto ikev1 am
crypto ikev1 enable [IF_to_ISP]
crypto ikev1 policy 20
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 3600
exit

crypto map EzVPN_MAP 65535 ipsec-isakmp dynamic VPN_CRMAP

crypto map EzVPN_MAP interface [IF_to_ISP]

AllertGen · ‎01-21-2015

Ok, solution for a first poblem found. Need to add lines:

CA router:

crypto pki server CACisServ
cdp-url http://[IP Address]:[Port]/cgi-bin/pkiclient.exe?operation=GetCRL
exit

As you can see there is "?" in the line. For writing it you need to use ctrl+v before puting this symbol.

At the ASA side need to add:

crypto ca trustpoint ExtCisCAServ
revocation-check crl
exit

And after this need to enroll certificate for ASA one more time (crypto ca enroll). After this ASA downloads crl list and starts use it.

So only problem left is a second point. Is it possible to set a tunnel-group by matching ou field at certificate and ldap attribute-map?