11-04-2010 10:20 AM
Hello,
I want to map some VPN clients to a specific group. Matching is based on the CN field from the client's certificate.
Previously all was pretty fine but today I've got a very strange thing.
Client certificates on the IKE are not matched yet. This issue occurs only with one group - IT-VPN.
Here is a matching rules:
crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
subject-name attr cn eq username2@domain
subject-name attr cn eq username3@domain
subject-name attr cn eq username4@domain
Matching parameters in the rules are exactly the same as in the CN filed from the client's certificate.
As client's certificate was not recognized by any existing groups client will be mapped to the DeafultRAGroup. This group is not configured.
So, VPN peer doesn't creates.
Here is output from ASA's syslog.
4 Nov 04 2010 15:43:20 717037 Tunnel group search using certificate maps failed for peer certificate serial number: 1AD8C64F000000000166, subject name: cn=username1@domain,ou=IT,o=CompanyName,c=UA, issuer_name: cn=CANAME,dc=SOMETHING,dc=SOMETHING2.
I'm really confused about how to match client's certificates to the group. I've even tried to change matching rules from "EQ" to "CO" but without success.
Solved! Go to Solution.
11-08-2010 03:52 AM
Hi Maxim,
first of all, can you please clarify what you meant when you wrote "Previously all was pretty fine but today I've got a very strange thing" ?
What was working fine? VPN without cert mapping? Other cert map rules were working ok? Or was even this rule working ok and when you made some change to it it stopped working?
Anyway, I believe the problem is that a rule will only match if ALL conditions match.
So you will have to change to something like
crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
crypto ca certificate map IT-VPN 21
subject-name attr cn eq username2@domain
crypto ca certificate map IT-VPN 22
subject-name attr cn eq username3@domain
crypto ca certificate map IT-VPN 23
subject-name attr cn eq username4@domain
Other than that, note that the cert map name should be the same for all rules, so if you already have something like
crypto ca certificate map FOO-VPN 10
subject-name attr cn eq otherusername@domain
then you should not define:
crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
but:
crypto ca certificate map FOO-VPN 20
subject-name attr cn eq username1@domain
And of course you need to map the rules to a group:
tunnel-group-map enable rules
tunnel-group-map FOO-VPN 10 group1
tunnel-group-map FOO-VPN 20 group2
tunnel-group-map FOO-VPN 21 group2
tunnel-group-map FOO-VPN 22 group2
etc.
hth
Herbert
11-08-2010 03:52 AM
Hi Maxim,
first of all, can you please clarify what you meant when you wrote "Previously all was pretty fine but today I've got a very strange thing" ?
What was working fine? VPN without cert mapping? Other cert map rules were working ok? Or was even this rule working ok and when you made some change to it it stopped working?
Anyway, I believe the problem is that a rule will only match if ALL conditions match.
So you will have to change to something like
crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
crypto ca certificate map IT-VPN 21
subject-name attr cn eq username2@domain
crypto ca certificate map IT-VPN 22
subject-name attr cn eq username3@domain
crypto ca certificate map IT-VPN 23
subject-name attr cn eq username4@domain
Other than that, note that the cert map name should be the same for all rules, so if you already have something like
crypto ca certificate map FOO-VPN 10
subject-name attr cn eq otherusername@domain
then you should not define:
crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
but:
crypto ca certificate map FOO-VPN 20
subject-name attr cn eq username1@domain
And of course you need to map the rules to a group:
tunnel-group-map enable rules
tunnel-group-map FOO-VPN 10 group1
tunnel-group-map FOO-VPN 20 group2
tunnel-group-map FOO-VPN 21 group2
tunnel-group-map FOO-VPN 22 group2
etc.
hth
Herbert
11-08-2010 07:53 AM
Thank you for reply.
The scheme with "one map per user/certificate" works.
Previously I thought than one map name and many rules will help me. I've just thought that rules under map are OR-ed but as I can see rules are AND-ed.
11-08-2010 11:29 AM
Hi Maxim,
if the issue is resolved, please mark this thread as such, thanks!
Or if there's anything we can still help with, let us know.
cheers
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide