Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect 2.5 Functionality Question

Hello:

I'm in the process of evaluating SSL VPN AnyConnect 2.5 client, with ASA 8.3(1), for deployment consideration. I am also using ASDM 6.3(1) for configuration of the ASA. Currently, I am leveraging Microsoft Certificate Services & cert-based authentication to authenticate Windows XP clients, rather than using a password-based login via RADIUS or LDAP. The reason behind this is not necessarily for security purposes, but rather it allows the client to establish a VPN connection without user interaction (ease of use), if using automatic log-on.

Given that, I would also like to be able to establish separate policies for different user groups (i.e. setup specific access control for users in the IT dept, as opposed to users from the records department). Previously, I’ve been able to accomplish this using Dynamic Access Policies. However, since I’m testing with cert-based authentication, and most DAP configuration relys on user attributes from either RADIUS or LDAP, I have seemed to have lost my ability to establish any DAPs.

So, my question is, is it possible to use DAP using certificate-based authentication, and if so, how do I accomplish this?

If not, is there a way to configure AnyConnect to leverage Windows login as a “single sign-on”, if using a user/password based authentication via LDAP or RADIUS, so the end-user does not have to enter their credentials twice to establish a VPN connection?

Thanks,

Sean

3 REPLIES
Cisco Employee

Re: AnyConnect 2.5 Functionality Question

Hi Sean,

well since the only thing the ASA knows about the user is his certificate, the only separation you can make will be based on elements of the cert. In other words, is there something different in the certs of the IT dept users compared to the certs of the Records users?

e.g.

CN=John Doe, O=IT, ...

CN=Jane Doe, O=Records, ...

then you can do certificate group mapping, i.e. have different Organisations (in this example) land on different tunnel-groups. No need for DAP then.

crypto ca certificate map mymap 1
subject-name attr o eq IT
crypto ca certificate map mymap 2
subject-name attr o eq Records

webvpn
certificate-group-map mymap 1 IT-group
certificate-group-map mymap 2 Records-group

Another option is to do cert authenticaiton with radius or ldap authorization. There is a "username-from-cert" feature that allows you to define how the ASA can extract a username from the certificate (e.g. you can tell it that the CN is the username, or some other field). Then it can use that username to do an authorization request to a Radius or LDAP server.

Note that when using radius authorization (without authentication), your radius server has to have an account for each user with the password set to the username (default), or with  a common password for all users (if you configure radius-common-pw in the aaa-server config)

hth

Herbert

New Member

Re: AnyConnect 2.5 Functionality Question

Herbert,

Thank you for the reply.

For your first scenario, keying in on information in the cert to distinguish different tunnel groups, I don't believe there's anything in our org's cert that could distinguish different groups (verifying with our security on this).

That said, your second scenario intriques me, and at least at first glance, appears to be the more appropraite answer for my scenario. However, I'm finding very little infromation on how to accomplish this from a configuration stanndpoint, particularly tying this in with DAP. I don't suppose you can supply an example, or refer to an on-line doc that shows this? BTW, my preference is using LDAP.

Thanks,

Sean

Cisco Employee

Re: AnyConnect 2.5 Functionality Question

Hi Sean,

An elaborate example can be found here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

But here's a basic example (I hope I'm not forgetting anything, can't try it out right now):

first configure the ldap server, obviously:

aaa-server ldap protocol ldap

aaa-server ldap (outside) host 10.1.2.3
ldap-base-dn cn=users,dc=MYDOMAIN,dc=COM
ldap-login-password *****
ldap-login-dn ldap

and then configure your tunnel-group to use that ldap server for authorization:

tunnel-group certldap general-attributes
authorization-server-group ldap
authorization-required

username-from-certificate CN


tunnel-group certldap webvpn-attributes
authentication certificate

From there on, the possibilities are endless. A common way to apply different policies to different groups would be to create group-policies locally on the ASA, and define an ldap attribute-map to map the LDAP group a user is in, to a group-policy:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Alternatively if you want to use DAP: in DAP you can use AAA attributes of type LDAP. So you can define rules similar to "if ldap.memberOf = IT-department" then ...

see e.g. http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

some more reading material:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html

I hope this helps, if you have any specific questions, let us know.

Herbert

939
Views
0
Helpful
3
Replies