Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
1
Replies

SSLVPN with aaa and certificate authentication

kevinskiwen
Level 1
Level 1

‎09-26-2012 08:17 PM

I have configured SSLVPN on a  asa5520 with aaa and certificate authentication. My problem is:

both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.

AAA and certificate are windows LDAP and MS CA.

====configuration======

tunnel-group supper type remote-access

tunnel-group supper general-attributes

authentication-server-group ldap

default-group-policy policy-supper

username-from-certificate ????

tunnel-group supper webvpn-attributes

authentication aaa certificate

pre-fill-username ssl-client

group-alias supper enable

==========

how to get the username from certificate??

when I use "username-from-certificate CN"

I always get 'Users' as username,the certificate have two CN values :cn=ssl05(username,I want) and cn=Users,

----log-------

Identified client certificate within certificate chain. serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com.

Sep 27 2012 11:11:56: %ASA-7-717030: Found a suitable trustpoint xxx to validate certificate.

Sep 27 2012 11:11:56: %ASA-6-717022: Certificate was successfully validated. serial number: 6108B927000000000017, subject name:  ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com.

Sep 27 2012 11:11:56: %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.

Sep 27 2012 11:11:56: %ASA-6-725002: Device completed SSL handshake with client outside:218.4.91.9/34254

Sep 27 2012 11:11:56: %ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com, issuer_name: cn=xxx CA,dc=xxx,dc=com.

Sep 27 2012 11:11:56: %ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 6108B927000000000017, subject name: ea=ssl05@xxx.com,cn=ssl05,cn=Users,dc=xxx,dc=com, issuer_name: cn=xxx CA,dc=xxx,dc=com.

Sep 27 2012 11:11:56: %ASA-5-113024: Group supper: Authenticating ssl-client connection from 218.4.91.9 with username, Users, from client certificate

Sep 27 2012 11:11:56: %ASA-7-609001: Built local-host office:10.99.7.223

Sep 27 2012 11:11:56: %ASA-6-302013: Built outbound TCP connection 312138 for office:10.99.7.223/389 (10.99.7.223/389) to identity:10.104.247.242/22478 (10.104.247.242/22478)

Sep 27 2012 11:11:56: %ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = 10.99.7.223 : user = Users

Sep 27 2012 11:11:56: %ASA-5-113024: Group supper: Authenticating ssl-client connection from 218.4.91.9 with username, Users, from client certificate

Sep 27 2012 11:11:56: %ASA-6-716039: Group <supper> User <Users> IP <218.4.91.9> Authentication: rejected, Session Type: WebVPN.

somebody can help me? thanks

Labels:
0 Helpful
1 Reply 1

kevinskiwen
Level 1
Level 1

‎09-27-2012 05:35 PM

does anyone have the experience ? I have tested every option in 'username-from-certificate xxx' except 'use-script',

I don't know how to coding the script in 'use-script'  with Lua.I think maybe the script is the only solution.

0 Helpful
Customers Also Viewed These Support Documents