Solved: Re: Failed Anyconnect certificate matching does not deny the use

oysteins · ‎05-30-2011

Hi

I am trying to set up certificate matcing when using Anyconnect.

I want the ASA to check the issuer CN to a value.

I have configured it, and it works.

But when the certificate matching failes, the user still get access. It connects to the GRP_policy "GroupPolicy_solbakken-any-test", but it should have failed.

The log looks like this

09:28:04|716001|||||Group <GroupPolicy_solbakken-any-test> User <oystein solbakken> IP <62.148.39.161> WebVPN session started.
09:28:04|734001|||||DAP: User oystein solbakken, Addr 62.148.39.161, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
09:28:04|716038|||||Group <DfltGrpPolicy> User <oystein solbakken> IP <62.148.39.161> Authentication: successful, Session Type: WebVPN.
09:28:04|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 2266234A000000000035, subject name: cn=oystein solbakken,ou=Brukere,ou=LUND,dc=lund,dc=local, issuer_name: cn=lund-S-TRD-AD-01-CA,dc=lund,dc=local.
09:28:04|113009|||||AAA retrieved default group policy (GroupPolicy_solbakken-any-test) for user = oystein solbakken
09:28:04|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 2266234A000000000035, subject name: cn=oystein solbakken,ou=Brukere,ou=LUND,dc=lund,dc=local, issuer_name: cn=lund-S-TRD-AD-01-CA,dc=lund,dc=local.
09:28:04|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 2266234A000000000035, subject name: cn=oystein solbakken,ou=Brukere,ou=LUND,dc=lund,dc=local, issuer_name: cn=lund-S-TRD-AD-01-CA,dc=lund,dc=local.
09:28:04|725002|62.148.39.161|65223|||Device completed SSL handshake with client Internet:62.148.39.161/65223
09:28:04|717028|||||Certificate chain was successfully validated with warning, revocation status was not checked.
09:28:04|717022|||||Certificate was successfully validated. serial number: 2266234A000000000035, subject name: cn=oystein solbakken,ou=Brukere,ou=LUND,dc=lund,dc=local.
09:28:04|302014|62.148.39.161|6875|89.248.2.6|443|Teardown TCP connection 2213 for Internet:62.148.39.161/6875 to identity:89.248.2.6/443 duration 0:00:00 bytes 4448 TCP Reset-I
09:28:04|725001|62.148.39.161|65223|||Starting SSL handshake with client Internet:62.148.39.161/65223 for TLSv1 session.
09:28:04|725007|62.148.39.161|6875|||SSL session with client Internet:62.148.39.161/6875 terminated.
09:28:04|302013|62.148.39.161|65223|89.248.2.6|443|Built inbound TCP connection 2214 for Internet:62.148.39.161/65223 (62.148.39.161/65223) to identity:89.248.2.6/443 (89.248.2.6/443)
09:28:04|725002|62.148.39.161|6875|||Device completed SSL handshake with client Internet:62.148.39.161/6875

Can anyone help me with this? I only want's users with successfull certificate matching to connect, all others should be denied.

Regards

Oystein

Herbert Baerten · ‎06-02-2011

Hi Oystein

you can that by mapping all other users to a group that does not allow a connection, e.g.:

group-policy DenyAccess internal

group-policy DenyAccess attributes

vpn-simultaneous-logins 0

tunnel-group NoAccess type remote-access

tunnel-group NoAccess general-attributes

default-group-policy DenyAccess

crypto ca certificate map mymap 65535
 subject-name ne ""

webvpn
 certificate-group-map mymap 65535 NoAccess


hth
Herbert

View solution in original post

Herbert Baerten · ‎06-02-2011