09-26-2012 08:17 PM
I have configured SSLVPN on a asa5520 with aaa and certificate authentication. My problem is:
both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.
AAA and certificate are windows LDAP and MS CA.
====configuration======
tunnel-group supper type remote-access
tunnel-group supper general-attributes
authentication-server-group ldap
default-group-policy policy-supper
username-from-certificate ????
tunnel-group supper webvpn-attributes
authentication aaa certificate
pre-fill-username ssl-client
group-alias supper enable
==========
how to get the username from certificate??
when I use "username-from-certificate CN"
I always get 'Users' as username,the certificate have two CN values :cn=ssl05(username,I want) and cn=Users,
----log-------
Identified client certificate within certificate chain. serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com.
Sep 27 2012 11:11:56: %ASA-7-717030: Found a suitable trustpoint xxx to validate certificate.
Sep 27 2012 11:11:56: %ASA-6-717022: Certificate was successfully validated. serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com.
Sep 27 2012 11:11:56: %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Sep 27 2012 11:11:56: %ASA-6-725002: Device completed SSL handshake with client outside:218.4.91.9/34254
Sep 27 2012 11:11:56: %ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com, issuer_name: cn=xxx CA,dc=xxx,dc=com.
Sep 27 2012 11:11:56: %ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com, issuer_name: cn=xxx CA,dc=xxx,dc=com.
Sep 27 2012 11:11:56: %ASA-5-113024: Group supper: Authenticating ssl-client connection from 218.4.91.9 with username, Users, from client certificate
Sep 27 2012 11:11:56: %ASA-7-609001: Built local-host office:10.99.7.223
Sep 27 2012 11:11:56: %ASA-6-302013: Built outbound TCP connection 312138 for office:10.99.7.223/389 (10.99.7.223/389) to identity:10.104.247.242/22478 (10.104.247.242/22478)
Sep 27 2012 11:11:56: %ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = 10.99.7.223 : user = Users
Sep 27 2012 11:11:56: %ASA-5-113024: Group supper: Authenticating ssl-client connection from 218.4.91.9 with username, Users, from client certificate
Sep 27 2012 11:11:56: %ASA-6-716039: Group <supper> User <Users> IP <218.4.91.9> Authentication: rejected, Session Type: WebVPN.
somebody can help me? thanks
09-27-2012 05:35 PM
does anyone have the experience ? I have tested every option in 'username-from-certificate xxx' except 'use-script',
I don't know how to coding the script in 'use-script' with Lua.I think maybe the script is the only solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide