Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
0
Helpful
3
Replies

AnyConnect 2.5 Functionality Question

s-daly
Level 1
Level 1

‎10-20-2010 03:13 PM - edited ‎02-21-2020 04:55 PM

Hello:

I'm in the process of evaluating SSL VPN AnyConnect 2.5 client, with ASA 8.3(1), for deployment consideration. I am also using ASDM 6.3(1) for configuration of the ASA. Currently, I am leveraging Microsoft Certificate Services & cert-based authentication to authenticate Windows XP clients, rather than using a password-based login via RADIUS or LDAP. The reason behind this is not necessarily for security purposes, but rather it allows the client to establish a VPN connection without user interaction (ease of use), if using automatic log-on.

Given that, I would also like to be able to establish separate policies for different user groups (i.e. setup specific access control for users in the IT dept, as opposed to users from the records department). Previously, I’ve been able to accomplish this using Dynamic Access Policies. However, since I’m testing with cert-based authentication, and most DAP configuration relys on user attributes from either RADIUS or LDAP, I have seemed to have lost my ability to establish any DAPs.

So, my question is, is it possible to use DAP using certificate-based authentication, and if so, how do I accomplish this?

If not, is there a way to configure AnyConnect to leverage Windows login as a “single sign-on”, if using a user/password based authentication via LDAP or RADIUS, so the end-user does not have to enter their credentials twice to establish a VPN connection?

Thanks,

Sean

Labels:
0 Helpful
3 Replies 3

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-24-2010 01:42 PM

Hi Sean,

well since the only thing the ASA knows about the user is his certificate, the only separation you can make will be based on elements of the cert. In other words, is there something different in the certs of the IT dept users compared to the certs of the Records users?

e.g.

CN=John Doe, O=IT, ...

CN=Jane Doe, O=Records, ...

then you can do certificate group mapping, i.e. have different Organisations (in this example) land on different tunnel-groups. No need for DAP then.

crypto ca certificate map mymap 1
 subject-name attr o eq IT
crypto ca certificate map mymap 2
 subject-name attr o eq Records

webvpn
 certificate-group-map mymap 1 IT-group
 certificate-group-map mymap 2 Records-group

Another option is to do cert authenticaiton with radius or ldap authorization. There is a "username-from-cert" feature that allows you to define how the ASA can extract a username from the certificate (e.g. you can tell it that the CN is the username, or some other field). Then it can use that username to do an authorization request to a Radius or LDAP server.

Note that when using radius authorization (without authentication), your radius server has to have an account for each user with the password set to the username (default), or with  a common password for all users (if you configure radius-common-pw in the aaa-server config)

hth

Herbert

0 Helpful

s-daly
Level 1
Level 1
In response to Herbert Baerten

‎10-25-2010 01:58 PM

Herbert,

Thank you for the reply.

For your first scenario, keying in on information in the cert to distinguish different tunnel groups, I don't believe there's anything in our org's cert that could distinguish different groups (verifying with our security on this).

That said, your second scenario intriques me, and at least at first glance, appears to be the more appropraite answer for my scenario. However, I'm finding very little infromation on how to accomplish this from a configuration stanndpoint, particularly tying this in with DAP. I don't suppose you can supply an example, or refer to an on-line doc that shows this? BTW, my preference is using LDAP.

Thanks,

Sean

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to s-daly

‎10-25-2010 04:18 PM

Hi Sean,

An elaborate example can be found here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

But here's a basic example (I hope I'm not forgetting anything, can't try it out right now):

first configure the ldap server, obviously:

aaa-server ldap protocol ldap
aaa-server ldap (outside) host 10.1.2.3
 ldap-base-dn cn=users,dc=MYDOMAIN,dc=COM
 ldap-login-password *****
 ldap-login-dn ldap

and then configure your tunnel-group to use that ldap server for authorization:

tunnel-group certldap general-attributes
 authorization-server-group ldap
 authorization-required
 username-from-certificate CN

tunnel-group certldap webvpn-attributes
 authentication certificate

From there on, the possibilities are endless. A common way to apply different policies to different groups would be to create group-policies locally on the ASA, and define an ldap attribute-map to map the LDAP group a user is in, to a group-policy:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Alternatively if you want to use DAP: in DAP you can use AAA attributes of type LDAP. So you can define rules similar to "if ldap.memberOf = IT-department" then ...

see e.g. http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

some more reading material:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html

I hope this helps, if you have any specific questions, let us know.

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents