ASA: SSL VPN Certificate Authentication per Tunnel Group

Document

Dec 2, 2009 2:00 PM
Dec 2nd, 2009

Pardon for the pictures are not displaying well in the html version of the doc.

Select "Views as PDF" fro mthe Actions box on the right to getter better picture clarity.

Introduction


Enables certificate authentication to occur based on tunnel-group configuration, rather than global configuration.


Certificate Authentication per Tunnel Group (aka.referred to Connection Profile in ASDM) is a new feature introduced the ASA 8.2.1 release. It's goal is to avoid prompting all SSL VPN endpoints (Clientless and AnyConnect) for a certificate when it is unnecessary to do so.

In ASA releases prior to 8.2.x , when client certificate authentication is enabled , it is a global setting controlled with the '''ssl certificate-authentication interface ''<interface>'' port ''<portnum>''''' CLI. When enabled it would force all SSL VPN endpoints to see the certificate popup asking for a certificate. Users who wished to connect to tunnel groups using only AAA had to click Cancel or choose a certificate to get around the popup.

Configuration CLI

No new CLI syntax was added to the ASA. Only the semantics of existing commands.

  • SSL CLI Commands

The key to this feature is that the '''ssl certificate-authentication''' command is no longer needed. When the '''ssl certificate-authentication''' command is configured, all connections to the specified interface and port are asked for a certificate.

ssl certificate-authentication interface outside port 443

Per-tunnel-group certificate authentication is enabled automatically when that CLI is removed.

no ssl certificate-authentication interface outside port 443

'''Note:''' Leaving the '''ssl certificate-authentication interface ''<interface>'' port ''<portnum>''''' CLI enabled will result in the exact same functionality as pre-8.2.x ASA.

  • CLI Commands to enable certificate-authenticated HTTP (ASDM) sessions

The '''http authenticate-certificate ''<interface>''''' command was added back to 8.2.1 (it was removed in 8.0) to enable configuration for ASDM connections. This command has the same syntax as in 8.0.

http authenticate-certificate outside

  • Tunnel-Group CLI Commands
    The '''authentication''' command is used on a tunnel-group to specify that the incoming connection is to be authenticated via a certificate.

tunnel-group <group-name> webvpn-attributes
authentication certificate

Configuration via ASDM

ASDM panels:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles-Basic (Authentication Method)

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles-Basic (Authentication Method)

cert_auth_tg3.gif

Supported Modes
This feature is supported in all modes.

Troubleshooting / Debugging

No new '''show''' commands were added. However, a single counter was added to '''show counters'''

* Protocol: SSLNP
* Name: SSL forced certifificate on

This counter is incremented each time an address is added to the ''Forced Certificate Authentication'' database (FCADB).

Syslogs

No new syslogs were added.

=== Debugs ===
Debug commands were added to the SSL menu.

The following command displays the FCADB that is used on the ASA to force certain clients (e.g. AnyConnect) to always use certificate authentication.

debug menu ssl 2

The following command adds an IPv4 address to the FCADB:

debug menu ssl 3 ''<ip-addr>''

AnyConnect and Clientless WebVPN user behavior when using Certificates for Authentication


Although AnyConnect and Clientless WebVPN are both affected by this new feature the AnyConnect user experience is mostly unchanged since it does not prompt the user for a certificate.

Update: AnyConnect has since added capability to prompt the user for which certificate to use to authenticate the VPN session, so the behavior will be essentially the same as for the Clientless/browser session, when the option "Disable Automatic Certificate Selection" Preferences (Part 2) parameter is checked in the AnyConnect profile.

The tunnel-group (aka Connection Profile) settings to control authentication will remain unchanged and can be set for any of the following:

  • Standard AAA only, no digital certificates

tunnel-group myaaaGroup webvpn-attributes
authentication aaa

  • Digital certificates only, no standard AAA

tunnel-group mycertsGroup webvpn-attributes
authentication certificate

  • Both AAA and Digital certificates

tunnel-group mycerts-aaaGroup webvpn-attributes
authentication certificate aaa

The table below indicates what the user experience will be for each client/connection type combination.

cert_clientless_behavior.GIF

cert_anyconnect_behavior.GIF

Update: AnyConnect has since added capability to prompt the user for which certificate to use to authenticate the VPN session, so the behavior will be essentially the same as for the Clientless/browser session, when the option "Disable Automatic Certificate Selection" Preferences (Part 2) parameter is checked in the AnyConnect profile.

Certificate Authentication for ASDM administrative sessions

ASDM certificate authentication will still be controlled by the ssl certificate-authentication CLI when it is enabled.

However, when ssl certificate-authentication CLI is NOT configured a new command (covered below) will be used for this.

Pre- ASA 8.2.x ASDM with Certificate authenticaiton behavior

ASDM on port 443 - ASDM were required to deal with the cert popup.

ASDM on port other than 443
# ASDM could operate with aaa-only or no aaa without seeing the cert popup
# ASDM could be prompted for cert auth separate from WebVPN using the ssl certificate-authentication CLI on whatever port ASDM (http server enable) was configured for.

Post ASA 8.2.x ASDM behavior

ASDM certificate authentication will be controlled using the new CLI - '''http authentication-certificate ''<interface>'''''. This new CLI will default to being disabled, having it enabled on an interface will cause ASDM connections to see a cert popup when connecting.

http authentication-certificate outside

Cisco Secure Desktop (CSD)

With the old ssl certificate-authentication setting, accessing CSD screens used to prompt for client certificate. This will no longer be the case, users will now be able to browse (or be redirected) to these URL's without a cert popup.

Local CA Certificates
When enrolling for a new client certificate, the login page where users enter username and One Time Password (OTP) to download their certificate would prompt for client certificate. As a result, users were required to cancel out of the cert popup or choose a cert (if one existed) just to get to the enrollment page. Now, with the new behavior, browsing to the Local CA enrollment page now works without a cert popup.

Documentation

Several technical notes on configuring certificates authentication between Cisco VPN remote access session types and ASA5500 security applicances can be found at http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html

Here's an example:

ASA 8.x: AnyConnect SSL VPN CAC-Smart Cards Configuration for Windows

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00809a2b93.shtml#anycon

Average Rating: 4 (2 ratings)

Comments

jimsiff Sun, 03/28/2010 - 22:42

This works greate except if you're using SCEP certificate enrollment.  I'm currently tracking a bug that forces me to go back to the legacy 'ssl certificate-authentication interface...' command when using SCEP.

andrew.craick@didata Mon, 07/02/2012 - 04:06

Thanks for this info.

Once thing i have noticed that is annoying me is that once you enable certificate authentication it must be used for all interfaces.

If you enable certificate and you wish to also use username and password this can also not be done on a per interface basis. If i want certificate only on inside and certificate and username and password via AAA  for the outside interface i can't.

Even if you enable per interface AAA it doesn't work unless you enable Certificate and AAA globally in which case all interfaces use AAA.

Anyone know a work around for this.

dmethodmn Tue, 03/11/2014 - 09:08

I am having issues trying to create/deploy a user certificate.  Is there any documentation on how to create the user certificate?  What attributes do I provide to the user certificate. 

I am using Microsoft Active Directory Certificate Services on Windows 208 R2.  The Microsoft CA has authority and has issued a cert to the ASA.  When I login using a remote access VPN with AAA, the user is asked to accept the ASA certificate issued by the microsoft CA.  I am able to login successfully using that remote access vpn.  However, trying to configure a different RA-VPN using certificate only auth results in a "Certificate Validation Failure" message.

Actions

Login or Register to take actions

This Document

Posted December 2, 2009 at 2:00 PM
Stats:
Comments:3 Avg. Rating:4
Views:19027 Contributors:3
Shares:0
Categories: AnyConnect, ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
10
5