Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA 5550 SSL VPN with Certificates OU Lock

We have an Enterprise CA set up in our organisation and a Cisco 5550 ASA that is going to be used for VPN users. The ASA has the CA certificate installed, an indentity certificate issued by the CA and is retrieving the CRL from the CA. The ASA authenticates against a Cisco ACS server via IETF Radius.

We have two seperate groups of SSL VPN users. When they apply for a user certifcate from our CA we ask them to fill out the OU/Dpeartment  field in their certifcate as either SSL_Support_Group or SSL_Test_Group

In the ACS server we have two seperate groups for these users. SSL_Support_Group and SSL_Test_Group. Both groups have the IETF [025] attribute ticked and both have the OU attribute set to the same as the OU specificied in the certificate (ie OU=SSL_Support_Group;).

In the ASA we have seperate SSL VPN Connection Profiles for both groups.

What we want to achieve is this. If a user logs into SSL VPN using a certificate that has the OU set to SSL_Support_Group but is in SSL_Test_Group in the ACS, then their login should be rejected. And vice versa.

At the moment if a user logs in with OU=SSL_Support_Group in their certifcate but OU=SSL_Test_Support in the ACS, then they are allowed to login but their policy is changed to SSL_Test_Group.

Is there a way to achieve what we are trying to do and if so how can we configure this?

New Member

Re: ASA 5550 SSL VPN with Certificates OU Lock

I should also have mentioned that we have we have certificate to SSL VPN Connection Profile Maps configured for both groups.

for example

OU=SSL_Support_Group maps to SSL_Support_Group Connection Profile

New Member

Re: ASA 5550 SSL VPN with Certificates OU Lock

Does anyone have any feedback on this or do I need to clarify what we are trying to achieve?

CreatePlease to create content