Re: AnyConnect (Certificates) + ASA + ACS Server

m.hoeschen · ‎10-08-2010

Hello,

is it possible to do certificate authentication (for anyconnect client) and afterwards authorizationto ACS Server (to retrive some attributes stored on may acs server).

Currently the authentiaction is working very well. However the authorization via ACS Server displays "User authentication against LDAP failed".

I'm using: ASA55010 8.3(2)4 / ACS 5.1.0.44

Thanky you very much for your help.

Markus

Herbert Baerten · ‎10-11-2010

Hi Markus,

as far as I know, ACS does not support LDAP (well it does support an LDAP backend, i.e. it can function as an LDAP client - but not as an LDAP server).

So your options are:

1- do not use ACS, but use an LDAP server instead (OpenLDAP, Microsoft AD, ...)

or

2- do not use LDAP, use RADIUS for authorization. However since the Radius protocol does not know the concept of authorization, the ASA will send a Radius authentication request - the username is derived from the certificate (you've probably already configured that part) but since it doesn't query the user for a password, it will either use a common password (i.e. all users on ACS need to have the same password) or it will use the username as password (so all users on ACS need to have their password set to their username). Your choice, but probably not what you want if you already have an ACS with a user db that is also used for other access control.

or

3- use certificate + RADIUS authentication - the user will have to enter his username and password but then you can use your existing ACS database where every user has its unique password.

hth

Herbert

m.hoeschen · ‎10-12-2010

Hello Herbert,

thank you very much for your answer.

Concerning 1.:

Yep, that is working very well.

Concerning 2.:

That's my main problem: I don't know what passwords is deliverd to the ACS server. I've tried to create a local ACS user with the password equal to the username: without success. I can't figure out what you have described as "common password"... Do you have a hint for me?

Coud TACACS+ be an alternative solution for my problem?

Thank you very much!

Markus

Herbert Baerten · ‎10-12-2010

Hi Markus,

I just did a quick test with a user on ACS with the password the same as the username, and then used the "test aaa" command on the ASA, and it worked fine. Did not try it yet with an actual sslvpn session with certificates. Perhaps the certificate to username mapping is not set up correctly? You can check the ACS logs to see which username the ASA is sending.

By default, ASA will use the CN from the certificate as the username. If you want to use something else, use the username-from-certificate command in tunnel-group general-attributes mode.

For the password: if you wish to use a common password instead, configure this:

aaa-server (inside) host x.x.x.x
radius-common-pw

As for Tacacs+, good question and to be honest I don't know. Will try it in the lab if I find some more free time

Herbert

Herbert Baerten · ‎10-12-2010

Did some more testing:

- with radius authorization, username-from-certificate CN, and a user on ACS with username = password = cert CN, it works perfectly.

- as I expected, you cannot use Tacacs for webvpn authorization:

asa(config-tunnel-general)# authorization-server-group tacplus
ERROR: Only "LOCAL", "radius" and "ldap" protocols are supported for WebVPN authorization

hth

Herbert

m.hoeschen · ‎10-22-2010

Hello Herbert,

the radius common password solved my problem. Now it works in a perfect way.

Thank you so much!

Markus