Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13281
Views
0
Helpful
4
Replies

How to match tunnel-group with ASA 8.2 and VPN Client IPSec auth using Digital Certificates with Microsoft CA

Go to solution
fernandoaguirre
Level 1
Level 1

‎04-16-2010 05:22 PM - edited ‎02-21-2020 04:36 PM

Hi,

I have configured a lab for RA VPNs with a ASA5510 software version 8.2 and VPN Client 5 using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco website:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml

Now the vpn works just fine, but now I need to configure different tunnel-groups so I can provide different services to different users. The problem I have now is that I don't know how to configure it so the certificate matches the tunnel-group name. If i do a debug crypto isakmp on ASA I get this error messages:

%ASA-7-713906: IP = 165.98.139.12, Trying to find group via OU...
%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload:   Unknown
%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IKE ID...
%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload:   Unknown
%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 165.98.139.12, Trying to find group via default group...
%ASA-7-713906: IP = 165.98.139.12, Connection landed on tunnel_group DefaultRAGroup

So basically when using certificates I always connect the RA VPN only with the default group DefaultRAGroup. Do I need to use a different web enrollment template for certificate request instead of the user template??? How can I define the OU on the User certificate so it matches the tunnel-group???

Please help me!!!!

Regards,

Fernando Aguirre

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-16-2010 09:41 PM

You can use the certificate group map feature to map it to a specific group.

Here is the configuration guide for your reference:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html#wp1053978

And here is the command reference for "crypto ca certificate map":

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2186685

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-16-2010 09:41 PM

You can use the certificate group map feature to map it to a specific group.

Here is the configuration guide for your reference:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html#wp1053978

And here is the command reference for "crypto ca certificate map":

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2186685

Hope that helps.

0 Helpful

Go to solution
fernandoaguirre
Level 1
Level 1
In response to Jennifer Halim

‎04-17-2010 12:40 PM

Thanks, the information you sent me was very helpful. I have the tunnel group mapping working with certificates now.

0 Helpful

Go to solution
Guido Arturo Catalano
Level 1
Level 1

‎03-21-2012 07:42 AM

One of the links is bronken.

I found new and very usefull info, Posted by Petr Lapukhov:

http://blog.ine.com/tag/tunnel-group/

 

1)The rules are configured using the command

crypto ca certificate map [] .

2) Enable the mapping rules using the command

tunnel-group-map enable rules.

3) Configure certificate map to tunnel-group mapping using the global commands

tunnel-group-map []

The rules are configured using the command crypto ca certificate map [] .

My Conf:

crypto ca certificate map CertMap 10

issuer-name attr cn co RT_CA01

subject-name co ARRT01

tunnel-group-map enable rules

tunnel-group-map CertMap 10 vpnBranches

More info on Cisco ASA 5500 Series Configuration Guide using the CLI

search for "Creating a Certificate Group Matching Rule and Policy"

0 Helpful

Go to solution
thomas.busse
Level 1
Level 1
In response to Guido Arturo Catalano

‎09-24-2013 02:18 AM

Hello and sorry to bring this old topic up again :-)

I'm aware of the certificate group map feature but in our environment we are not able to use it, as the customer wants to use the option of "group-delimiter #" to make users fall into a special tunnel-group in some circumstances.

I have heard, that you could name the tunnel-group the same as the OU-Field from the certificate to make users fall into that tunnel-group, is this correct and is there any documentation from cisco about that feature?

I'm relatively new to ASA and what I have learned is, to use certificate group map :-)

Thank you guys in advice.

Best regards,

Thomas

0 Helpful
Customers Also Viewed These Support Documents