Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2989
Views
0
Helpful
5
Replies

Using MS CA issued certificate

Go to solution
Leo Jensen
Community Member

‎02-06-2015 12:16 AM

Looking for configuration guide for using 2-factor authentication in a MS Windows environment. My setup: MS Windows 2012 Domain including MS Certificate Services, MS Windows clients with AnyConnect. VPN device ASA-5515  - ASA/ASDM 9.2(2)4/7.3(1). I would like to use the Microsoft CA issued personal certificates and the windows domain user name/password for  user authentication when establishing VPN. How do I setup the ASA to validate the MS CA issued user certificate towards the MS CA Server? All the configuration examples I have seen uses SCEP where the ASA requests a certificate at the MS CA Server on behalf of the user. This is not what I want. I would like the AnyConnect client to present the already issued user certificate (in MMC Certificates: Certificates - Current User -> Personal -> Certificates) to the ASA. ASA then validates the certificate.
Just like ASA forwards user name/password validation to LDAP server - in my case the MS Windows Domain controllers. How do I set this up?
Kind regards, Henrik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-06-2015 02:19 PM

Have a look at this configuration guide:

ASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre-Fill Configuration Guide

It seems to address the use case you're asking about re certificates. They use local authentication as the second authentication factor but you could just as easily use AD or LDAP or RADIUS as your AAA server.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-06-2015 02:19 PM

Have a look at this configuration guide:

ASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre-Fill Configuration Guide

It seems to address the use case you're asking about re certificates. They use local authentication as the second authentication factor but you could just as easily use AD or LDAP or RADIUS as your AAA server.

0 Helpful

Go to solution
AllertGen
Level 8
Level 8
In response to Marvin Rhoads

‎02-09-2015 01:27 AM

Hello, Marvin Rhoads.

Do you know if it possible to also check user group at AD when ASA is checking AD Authentication (with CA authentication for a 1 phase)? What i mean is to let user connect only if he mapped to some specific group at the AD (for example to "Cisco_VPN" group).

 

to . If you want use CiscoVPN instead of AnyConnect you can try my configuration: https://supportforums.cisco.com/discussion/12397696/easyvpn-asa-certificates-ike-profiles-and-ad-authentication

But I used Cisco Router as CA, so you can just change url of trast point at ASA configuration to your MS CA server.

Best Regards.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AllertGen

‎02-09-2015 01:20 PM

AllertGen,

If I understand your question correctly, I believe you are asking about what Cisco calls "Placing LDAP Users in a Specific Group Policy".

The link explains how to do this.

0 Helpful

Go to solution
AllertGen
Level 8
Level 8
In response to Marvin Rhoads

‎02-10-2015 12:06 AM

Hello, Marvin Rhoads.

Thanks a lot for your answer. It's close but it's not it. Here is what I'm tolking about:

I want to do so that if user has a membersip at this group he could connect via VPN. I made this commands at my ASA device:

ldap attribute-map ADLDAPAttMap
 map-name memberOf Group-Policy
 map-value memberOf CN=VPN1,CN=Cisco_VPN VPN1
 map-value memberOf CN=VPN2,CN=Cisco_VPN VPN2
exit
aaa-server AD_LDAP (if) host [AD_server]
 ldap-attribute-map ADLDAPAttMap
exit
tunnel-group VPN1 general-attributes
 authentication-server-group AD_LDAP
exit
tunnel-group VPN2 general-attributes
 authentication-server-group AD_LDAP
exit

And the main problem at the line: "tunnel-group-map enable rules". Without this line CA authentication does'n works, but AD authentication works well (with pre shared ike authentication). And when I'm using this command CA authentication works well, but AD authentication accepts any user from AD. So I'm stuned with this moment.

 

At your example i saw a line "group-policy [group] external server-group [ldap_server]". Right now I'm using a internal group policy. I want try to use external policy but will be local group-policy attributes work with it?

Best Regards.

0 Helpful

Go to solution
Leo Jensen
Community Member
In response to Marvin Rhoads

‎03-09-2015 12:24 PM

Thank You so much. It works nicely.
Now I just want to be able to allow the users to save their Windows Credentials like the previous Cisco VPN client.
 

0 Helpful
Customers Also Viewed These Support Documents