Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa 5510 IPSec

Hello,

So I'm pretty much familiar with asa

But not very much with VPN's

My goal is, to get as much security as possible when a user login via vpn

which means, I want the user to login with a username,password, and a certificate made just for that user

and not a group certificate

also to validate the user via LDAP

but if the both cant be done together, it's more important to me the first option I mentioned

so my question is, how can it be done on the asa? is it possible to have each user to login using a different certificate

it was possible on my old firewall using OpenVpn

I want to use the asa as the certificate server

I'm using ASDM 6.4

ASA 5510 Software version 8.4 (4)

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

asa 5510 IPSec

For the legacy VPN-Client you have to use an enterprise CA like the one build into Windows Server 2k3/2k8. On the ASA-CA only SSL-VPNs are supported. But for a new deployment you really should go for the AnyConnect-Client.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
12 REPLIES
Hall of Fame Super Silver

asa 5510 IPSec

Yes, two factor authentication is not at all uncommon. There are several thread on this site describing experiences with it.

Reference

Reference 2


New Member

asa 5510 IPSec

Thank you,

But the reference you gave, which leads to Cisco documentation, talk about an outside CA server

Does it have to be like that? Can't I use the asa as the CA Server?

Maybe it's there and I've missed it/didn't get it, my apologies if so,

If someone can please point it out more specifically I would appreciate it

VIP Purple

asa 5510 IPSec

The ASA can be a CA-server, but keep in mind that it won't work if you are running Failover. So, also if you are not using failover at the moment, I would use a company-PKI which is on the inside of network.

If you decide not to go with certificates but with a secondary authentication, I would suggest to look into DuoSecurity (http://www.duosecurity.com) or YubiKeys (http://www.yubico.com).


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

asa 5510 IPSec

I'm not using a failover asa, and im not planning to use one either.

So please if someone can explain me how can I configure the asa as the ca-server, create a certificate per VPN user

Export the certificates to the clients, and the whole process

It would be a great deal of help.

VIP Purple

asa 5510 IPSec

a very good how-to can be found on the blog from IPExpert:

http://blog.ipexpert.com/2010/07/28/asa-local-ca-server/


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

asa 5510 IPSec

Thank you Karsten

I followed the manual

it was excellent, made me understand just how it works, but Im still left in a puzzle

basically from what I've figured out, it's a general Certificate which I've created

any local user on the asa, can login through it

and what I want, is that each user will have his own unique certificate

VIP Purple

asa 5510 IPSec

in the example you generate a user named ipxuser. This user gets his certificate and you would repeat that for every vpn-user in your organization.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: asa 5510 IPSec

Hi

You basically need to have your users go to https://hostname/+CSCOCA+/enroll.html, enter the correct credentials / OTP and the ASA will provide them with an ID certificate.

Then you could use a group-url to map your users to the correct profile (optional, you could use a group-alias) and use the "authentication aaa certificate" under the webvpn attributes of the specific profile to authenticate the incoming session with certs and AAA credentials (2-factor authentication).

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

Certificate mapping to AnyConnect tunnel-group I.

http://itsecworks.wordpress.com/2011/07/15/certificate-mapping-to-anyconnect-tunnel-group/

Let me know if you have any questions.

Please rate any post that you find helpful.

New Member

asa 5510 IPSec

Im using Cisco VPN Client

Can you please explain me how it's getting done for that?

Thank you.

VIP Purple

asa 5510 IPSec

For the legacy VPN-Client you have to use an enterprise CA like the one build into Windows Server 2k3/2k8. On the ASA-CA only SSL-VPNs are supported. But for a new deployment you really should go for the AnyConnect-Client.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: asa 5510 IPSec

I agree with Karsten (5 stars).

For the Legacy VPN client, you must use an external CA server.

Please check this out:

ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

Let us know.

New Member

Re: asa 5510 IPSec

Thank you for bringing that into my attention Karsten

And sure is something that I would discuss about in my company and check that possibility to purchase Anyconnect Licenses,

But I would need another option like that one I was looking for

So for that matter,

Let's assume I have an outside enterprise CA

How then, can I bind the certificate created there, to a specific user on the asa to login via Cisco VPN?

**Edit

Sorry, didnt see your reply, i'll check it and get back at you guys

thanks again for all of the help

1064
Views
5
Helpful
12
Replies
CreatePlease login to create content