Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

AnyConnect Certificate Based Authentication.

New Member

The information in this document is based on these software and hardware versions:

 

    ASA 5510 that runs software version 8.2(2) and ASDM version 6.4(9)

 

    Anyconnect client  software version 3.0 (It will work the same for versions prior to 8.3)

 

 

    Microsoft Windows 2003 server as the CA server for the scenario.

 

 

Since the ASA version in use is 8.2.x we can enable per tunnel-group certificate authentication.

 

(Feature in the ASA 8.2.x release, using pre-8.2.x ASA code it will require to globally enabling the certificate authentication with the command

  "ssl certificate-authentication interface <interface> port <portnum>").

 

 

 

In order to acomplish the AnyConnect authentication using certificates the AnyConnect client should get a valid certificate from the CA server, at the

same time the ASA should have the CA Root certificate in order to properly validate the certificate of the connecting client.

 

 

 

1.bmp

 

 

 

1-) Make sure you have an AnyConnect image applied in the ASA firewall:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software

 

 

Click the Add button, and browse the flash for the proper image (optionally you can upload the client from the local PC).

 

 

2.bmp

 

 

2-) Enable anyconnect in the outside interface:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

Check the box "Enable Cisco AnyConnect VPN Client or legacy SSL Client"

 

Then select the interface where the AnyConnect clients will be connecting to (in this example the outside interface).

 

 

3.bmp

 

 

 

The " Allow user to select connection profile" check option will allow the AnyConnect user to select the group they will be connecting to.

 

 

 

3-) Create a new AnyConnect connection profile:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

 

Click the Add button, the "AnyConnect connection profile" window will open.

 

Give the connection profile a name and optionally a group alias.

 

 

Click the "Select" button next to the "Client Address Pools" option.

 

The " Select Address Pools" window will appear.

 

Click the "Add" button in order to create a new pool of addresses.

 

 

 

4.bmp

 

 

 

4-) Create a Group-policy:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

Click the "Manage" button  next to the "Group Policy" option in the connection profile.

 

Click the "Add" button in order to create the new policy.

 

 

Give the policy a name (In this example "AnyConnect-Policy") and check the "Clientless SSL VPN" and "SSL VPN Client" boxes, then click the "ok" button.

 

 

5.bmp

 

 

 

The AnyConnect group have been created at this point.

 

 

 

 

5-) Install the CA certificate in the ASA:

 

 

The CA certificate must be downloaded from the CA server and installed in the ASA.

 

Complete these steps in order to download the CA certificate from the CA server.

 

Perform the web login into the CA server CA-server with the help of the credentials supplied to the VPN server.

 

6.bmp

 

 

 

Click Download a CA certificate, certificate chain or CRL in order to open the window,

as shown. Click the Base 64 radio button as the encoding method, and click Download CA certificate.

 

 

7.bmp

 

 

Save the CA certificate with the certnew.cer name on your computer.

 

 

8.bmp

 

 

 

Go to Configuration > Remote Access VPN > Certificate Management > CA Certificates in the ASA firewall.

 

Click on the "Add" button, the "Install Certificate" window will open.

 

Click the "Browse" button next to the "Install from a file" option.

 

Browse to the location where you saved the CA certificate, highlight the CA certificate and click on the "Install" button.

 

 

9.bmp

 

 

At this point the CA certificate will be installed in the ASA fiwall and it willl be able to validate the connecting users, which user's certificate was created from the same CA server.

 

 

 

 

6-) Go back to the AnyConnect connection profiles and change the profile to use certificate authentication:

 

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

Highlight the "AnyConnect-group" profile and click the "Edit" button.

 

 

The "Edit AnyConnect Connection Profile" will open, then you will be able to select the authentication method to be "Certificate"

 

 

10.bmp

 

 

 

Click the "OK" button and then click "Apply"

 

(Remember to save the configuration performed)

 

 

11.bmp

 

 

 

 

7-) The next step would be to install the certificate in the AnyConnect client PC:

 

 

The user will need to log in into the CA server with his credentials.

 

 

12.bmp

 

 

 

Once in the CA server, the user will need to click in the "Request a certificate" option.

 

13.bmp

 

 

The user will want to select the "User Certificate" option.

 

 

14.bmp

 

 

 

 

At this point the CA sever will provide the user certificate to be installed.

 

 

 

15.bmp

 

 

Once the certificate is installed the user will be able to connect the AnyConnect client authenticating with the previously installed certificate

(No username and password required)

 

 

16.bmp

 

 

Below you will find how the configuration should look like in the CLI interface:

 

 

 

 

ip local pool AnyConnect 10.10.10.1-10.10.10.254 mask 255.255.255.0

 

      group-policy AnyConect-policy internal

      group-policy AnyConect-policy attributes

        vpn-tunnel-protocol svc webvpn

 

 

      tunnel-group AnyConnect-group type remote-access

      tunnel-group AnyConnect-group general-attributes

        address-pool AnyConnect

        default-group-policy AnyConect-policy

      tunnel-group AnyConnect-group webvpn-attributes

        authentication certificate

        group-alias AnyConnect enable

 

 

 

         webvpn

          enable outside

          svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1

          svc enable

          tunnel-group-list enable

 

 

 

 

crypto ca trustpoint ASDM_TrustPoint0

        revocation-check none

        no id-usage

        enrollment terminal

 

      crypto ca authenticate ASDM_TrustPoint0

 

        MIIEtDCCA5ygAwIBAgIQcNSMRXs696JMHFgTc+OKPjANBgkqhkiG9w0BAQUFADBV

        MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY3J0YWMxFjAU

        BgoJkiaJk/IsZAEZFgZ2cG5sYWIxDzANBgNVBAMTBnZwbmxhYjAeFw0xMjA2MDUy

        MDAyNThaFw0xNzA2MDUyMDExNTdaMFUxEzARBgoJkiaJk/IsZAEZFgNjb20xFTAT

        BgoJkiaJk/IsZAEZFgVjcnRhYzEWMBQGCgmSJomT8ixkARkWBnZwbmxhYjEPMA0G

        A1UEAxMGdnBubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Wo7

        iCHElRUbgGAJgsf52AxlQLmeyMTSgS2I6/hTCOmra5BkP4cUieSeWqnOAPYgGTj/

        it3qGVLBjkjf2sHBUBHfIUm8nnQF2UNjTbJZVIfCAyrHoRXNDFNV6qlKFoMmi7VG

        2CudXsbuC86LsFDTMkk2Y2UB/T1xUpf5TBX+uQDb7w4jIZs1DkpQBmE946lH8vyA

        GHU6RdainLr/44Sa0iPjzngMdssq0QlE/8gYWr6HsAOvmKhf8RcokjqXEQ36JyAF

        +N/6sqoDTYl6jXg72PuoLO/zcmu8qbY+aRQGu5tlKXVemb9FyEKOuLe/Q4PirCz1

        TUHw8urOHcHCquo5PwIDAQABo4IBfjCCAXowEwYJKwYBBAGCNxQCBAYeBABDAEEw

        CwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNI2q3uAQNAg

        nR+BfjqEcGUZaHoNMIIBEgYDVR0fBIIBCTCCAQUwggEBoIH+oIH7hoG7bGRhcDov

        Ly9DTj12cG5sYWIsQ049dnBuLXNlcnZlci0wMSxDTj1DRFAsQ049UHVibGljJTIw

        S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12

        cG5sYWIsREM9Y3J0YWMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/

        YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY7aHR0cDovL3Zw

        bi1zZXJ2ZXItMDEudnBubGFiLmNydGFjLmNvbS9DZXJ0RW5yb2xsL3ZwbmxhYi5j

        cmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEHyvayVbKqT

        0rwZNFBC3GAnUCDCK3kJxyjvir+T2pcCVS5KLukhTcDtr5VBOrSGsFA+zJvqB7qS

        dwAvh9tKjpdb6rQKM5bo7NKii7mU71WxK8/wSupLMlNEZemvZcnaLKB2P5TGwJ0K

        9LTp/rT89pvO9QbEMnRMPi0dPHQbu90sDLLBksxUfXII8qNyjjqNnVq2GDHX56Gz

        DzltLTLnrL4Gb/1M9ulwO2bzNV9J7uVg6iELJDbzkHFaCNXTvQJyDsN41xETg54Y

        uv6hViCXnu0SaaWi2rjVqx8pUXD7O3jrH9jnBC71cUqzv+MBvJI3th9iMMA80Gno

        Rl0Ipuf7dYk=

        quit

 

 

I hope this information can be helpful for you..

36 Comments
Cisco Employee

Really useful. thanks

New Member

Thank you for great post.

I've been looking to implement this solution.  One question I have is, instead of using a separate Microsoft Windows CA Server, can't you use the built-in ASA CA?

Thanks,

Matt

New Member

Hello Matt,

Thank you very much for your comments.

In answer to your question, yes It is totally possible to use the built-in CA server feature of the ASA in order to

Issue certificates to your SSL clients and perform certificate based authentication.

This would be the process:

1-) Create the Certificate Authority as shown below:

Follow the path below:

Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server

Check off the "Enable Certificate Authority Server" option and enter a passphrase.

Optionally you could configure a SMTP e-mail server in with the ASA could send the certificate information to your users, but in this example

We will work with the HTTP connection.

CA1.bmp

2-) You will need to add a user in the CA’s user database:

Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Database

Select “Add” to add the “vpnuser”,

Enter the username and optionally the e-mail id.

You can also add specific values of the certificate subject name by using the “Select” button next to the “DN String” option.

CA2.bmp

Once the user is created it will have a status of allowed but no yet enrolled.

At this point you will want to generate the OTP in order to provide it to the SSL user.

CA3.bmp

Either connecting with the AnyConnect client or through the web vpn portal you will get the option to “Get Certificate” (If the group where the user is connecting to is configured for certificate authentication).

CA4.bmp

By clicking in the “Get Certificate” button you will be ask for the username and OTP

CA5.bmp

After you enter the correct username and OTP you will be provided with the user certificate for the install (depending on the OS you could be prompted with the option to save the certificate before installing it, if that is the case it could ask you for a passphrase for the installation, and it would be the same OTP that you entered to request the certificate).

CA6.bmp

After the certificate has been installed in the PC, the AnyConnect client will be able to establish the connection.

CA7.bmp

Below you can find how the commands will look like using the CLI:

crypto ca server

smtp from-address 10.10.10.10

       database path flash:/

       no shutdown passphrase cisco123

crypto ca server user-db add vpnuser

crypto ca server user-db allow vpnuser display-otp

I hope this can be useful for you.

Hello Marvin,

What a great post!

Thank you very much for this information

Cisco Employee

Very nice Marvin!

Adding my two cents to Matt's question; if you are using 3.0.08057 or later which you propably are since we don't recommend using earlier versions due to Security Vulnerabilities:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

You will need to also use cetificate matching on the XML profile, this is because starting in 3.0.08057 the client certificate MUST have the Client Authentication EKU however the certificates the ASA generates do not have a EKU, they just have the following Key-Usages:

Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

From those Key Usages the AC client only needs Digital Signature and Key Encipherment, we opened an Enhancement Request to have the ASA add the necessary EKU to the certs is issuing.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

--Gustavo

New Member

Hello Gustavo,

Thank you very much for the additional info, I was not even aware of it.

It is really helpful, I will keep it in mind.

Regards,

New Member

Thanks Marvin,

Is possible to use ASA's built-in CA server when they are in failover mode?

Regards,

Cisco Employee

Hello,

No, unfortunately is not possible...there is an enhancemet request for that though CSCsm17487 so you might want to contact your account team for more information about roadmap and stuff...It's not even supported on load balancing "oficially".

HTH

--Gustavo

New Member

What a nice document!

Thank you all!

New Member

Hi Marvin,

Such a great document, I hope you will answer my questions... Is it possible to use both Certificate based authetication and RSA token based authentication using different profiles....currently my organization is using webvpn, anyconnect client, but I have a new requirement that some users want certificate based authentication so I am curious If I can follow these instructions and start certificate base authetications, Is it going to effect the existing ssl webvpn functionality.

Basically I want to run both Certificate based authenticationa and RSA token so I can provide users access accordingly.

Do I also need this image svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1

currently I have following images in flash:

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 4

Thanks,

Sal

New Member

Sal,

Provided that you create a separate connection profile for the certificate authentication you can keep using both. You will need to have a group url and/or group alias for each one. I hope this helps you resolve your issue.

Elias

New Member

Hello Sal,

As Elias previously mentioned if you are about to create 2 separate groups in the ASA, one for certificate authentication and the other one for RSA authentication they should not interfere with each other.

However, as you can check in the information at the top of the post, the ASA firewall should be running an OS version of 8.2.x or later.

With 8.2.x we can enable per tunnel-group certificate authentication.

Feature in the ASA 8.2.x release, using pre-8.2.x ASA code it will require to globally enabling the certificate authentication with the command:

  "ssl certificate-authentication interface <interface> port <portnum>"

And the above command will affect the connections to all groups in the firewall, and also ASDM connections.

Regarding you question about the AnyConnect image installed in you ASA

It would be suggested that you upgrade to the AnyConnect version 2.5.6005 (Which is the one available in the Cisco web page) Since Cisco has remove the previous client versions from the public access due to vulnerabilities in the software:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

I hope this information can be helpful for you.

Warm regards,

New Member

Thank you Marvin and Elias. Currently I have 5510 ASA ver 8.2(5) and ASDM 6.4(7) running. I can see all the options that are posted above. The only ssl command that is configured in my ASA is "ssl trust-point ASDM_TrustPoint1 outside"

and this ASDM_TrustPoint1 is configured for third-party 2048 bit certificate so when user login through webvpn they see this certificate at the right corner of a browser. This certificate is also been used for IPSec VPN tunnel with vendors.

I am confused about the 2048 bit certificate currently installed it's been used for different purposes and the one that I will going to be using with the Annyconnect certificate based authentication....How are they differ from each other or want to make sure that the exsisting 2048 bit certificate will stay as it is when configuring the Internal CA certificate.

I do not understant "ssl certificate-authentication interface <interface> port <portnum>" command, is this command is necassary to configure as part of certificate based authentication procedure mentioned above or not....

Where can I find the group url and/or group alias option.... and ane last confusion is it possible to use the existing IP pool, or need a new ip pool  existing pool 192.168.104.150 - 192.168.104.200 /24

Thanks,

Sal

New Member

Marvin can you kindly explain how i can enable anyconnect for smartphones (android) i have already enabled anyconnect but its not working for smartphones

Regards

Burhan

New Member

Hello Sal,

In answer to your questions,

What you need to upload to the ASA for certificate authentication is the server CA certificate, then it is not going to have any sort of conflict with the 3rd party certificate already installed in the ASA.

The command "ssl certificate-authentication interface <interface> port <portnum>" is required just for version prior to 8.2.x, since your ASA is running 8.2.5 you will not need to use this command.

Also, you can use the same IP local pool configured in the ASA for the new connection profile.

In the above configuration example I am adding a group alias to the connection profile.

Please check the above configuration example; it contains all that you require for your set up.

Best regards,

New Member

Hello Burhan,

The configuration for AnyConnect for mobile devices (Android, phone, Ipad, etc) will be just the same for the regular AnyConnect client.

If it is already in place for PCs, then you should be able to connect the Smartphones.

It would be good that you check if the ASA has a proper license for AnyConnect for mobiles as in the example below:

show version output:

Failover cluster licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 5              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 250            perpetual

AnyConnect Essentials             : 250            perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Enabled        perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Enabled        perpetual

Advanced Endpoint Assessment      : Enabled        perpetual

UC Phone Proxy Sessions           : 52             perpetual

Total UC Proxy Sessions           : 52             perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

In case you do not have this license enabled in the ASA you can use the following link in order to  get a 90 demo license for mobile devices:

AnyConnect mobile 90 day demo license.

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

If after installing the license you still face issue I would suggest opening a case with TAC support team for further trouble shooting.

I hope this information can be helpful for you.

Best regards,

New Member

Thank you so much Marvin.

Best regards,

Sal

dm
New Member

Hello!

As I undrestand certficate based authentication just checks is certificate signed by CA or not.

But if, let's say, user's ipad is lost, how to block access? I.e. how to revoce certificate?

New Member

Hello,

In case the ASA needs to check if a specific certificate is still valid, or if it has been revoked; you could configure revocation checking in the trustpoint that is used to authenticate the clients.

For further information you can check the link below:

Configuring Certificates

(About Revocation Checking section)

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/cert_cfg.html#wp1054657

I hope you find this information useful.

Best regards,

dm
New Member

Thank you! This is what I wanted :-)

New Member

Hi Marvin,

I have no problem setting this up with certificate authentication.  We have a scenario where we have machines in different OUs and would like to assign different access rights based on that.  Can we filter by fields in the certificate subject field?  I could do this with no problem with the Cisco VPN client using IPSec, but it doesn't seem to work the same way with the Anyconnect SSL connection.  I'd prefer to use the SSL tunneling though.

Thanks.

Bronze

Hi Marvin, I have two quick questions:

1: I have the Certificate set up as you outlined above, with ONE User account. I had 10 devices use this account/OTP to load the certificate on their remote devices.(These all have a similar funtion). If one of these devices gets lost, and I revoke the certificate, will the other 9 devices be revoked also, and need to re-enroll with another certificate?

2: I have created 10 NEW user accounts, they are not in use yet. Is there any way, other than revoking the original certificate, to have the clients get a new certificate with one of these unique user accounts?

Thanks!  Russ

Bronze

One follow-up question to the above:

There are two certificates showing for the user at this time (just started deploying these devices). Both show the same Username, but the Certificate Serial Numbers are 0x2 and 0x3. Is there ANY way to determine WHICH device holds which of these Serial Numbers? (Other than Revoking one and seeing who starts screaming?)

New Member

Hi Marvin,

Wonderful explaination, I have been looking for this for a long time. This helps me improve my skills in configuring anyconnect VPN. Thanks for this post.

New Member

Hi Marvin,

Great document!

I have done AnyConnect VPN with certificate authentication by referencing your document.

But there is another question with Certificate to SSL VPN Connection Profile Maps.

I can create mapping rules to define different OU in certificate maps to different policy group.

But if I use a certificate which can not match any mapping rules, I will be dropped into default policy group.

Can I do something to make this situation into drop VPN connection if it can't match any mapping rule?

Thanks for your kindly sharing.

Best regards,

New Member

Thank You for the wonderful document.

Please confirm if my understanding is corect:

This solution will allow the users to connect only if they a valid client certificate.

Any users without a valid client certificate wouldn't get authenticated by the ASA

Context:

I am working on a project to enable Client Certificate based authentication for an internal web site. Wondering if I can get the users to login through ASA (Anyconnect) using cleint certificate and then allow acces to the web site.

Cleint-----(client certifiate based authentication)------->ASA Any Connect---------->Web Site

New Member

Please review the post, pictures don't show up.

Only select images are being displayed...can we get this fixed?

Hi Ryan Liu,

Answering your question:

Can I do something to make this situation into drop VPN connection if it can't match any mapping rule?

As you correctly described, if the certificate mapping rules don't match, the user will land in the Default Group Policy. So, if you want to drop the VPN connection for these users you can set the vpn-simultaneous-logins option to 0, that way the user will not be connected to the VPN.

This will be the changes in the configuration:

group-policy DfltGrpPolicy attributes

  vpn-simultaneous-logins 0

Regards,

Bryan Cordoba

New Member

Hello friends, 

Allow me to resurect an old post!

Does this solution can also be applied with Essential License? I mean with IPsec Remote Access VPN? Or this just work with Premium Licenses (SSL VPN´s)?

Regards!

New Member

Why does the ASA not require an identity certificate?

New Member

This is a good write up but I have a question.  From a security point of view, what methods are there to prevent a user from exporting the client certificate and importing it on multiple devices?

Without 2fa (i.e username and password) the client certificate just comes up as unknown for the user and if it is a device that has not been revoked just loading the certificate device to device will allow rooted or other potential devices to get in or even ex employees.  Outside the cert expiration date if you do not have a 2fa a generic device (like a shared Ipad) could be an easy conduit to a savvy person for backdoor access.  Its nice convenience but seems to me it has its flaws without a 2fa on top of it. 

So from a best practices standpoint would you ever implement just cert authentication for public vpn without a 2fa on top, as certificates can be forgotten or not revoked where typically a user account is termed when someone is let go. 

New Member

Exactly Can you have the FW do Certificate authentication and 2fa?  We want to use the Certificate authentication to limit what computers people connect with can it be used for that?

Marvin are you still with us?

Thanks....

Cisco Employee

Hello y.lo

For certificate authentication the ASA only needs to know the issuer of the client certificate as one of his Trustpoints. For SSL connection the client will check the identity certificate of the ASA installed on the outside interface but that could be issued from a different CA like the ones you request from public entities DigiCert, Symantec, etc.

Cheers

New Member

You could, when installing the certificate, mark it as not exportable, but that can be bypassed with some fancy tools.  But you could, use DAP on the ASA to pull certain attributes from the end point for another 'check'.  Like maybe a certain OS type, a special file residing on the device, etc.  

The end user would not be able to tell what you are checking for.

New Member

Hi,

Is it required to generate certificate in SSL VPN anyconnect configuration.

145282
Views
65
Helpful
36
Comments