Hello, Jan, and thank you

Kristiyan Mladenov · ‎05-04-2014

Hi there!

I have been trying to configure remote access VPN using digital certificates for authentication on some routers using IOS. What I want to do is authenticate the user based on the email in the subject in the certificate. The situation is as follows:

Imagine two users - userA and userB, having certs certA and certB. In my configuration so far I have an ISAKMP policy using digital signatures and a PKI trustpoint which uses external CA (OpenSSL) with no revocation check. Phase 1 goes OK and when userA(B) uses certA(B) he is able to get the Phase 1.5 prompt, authenticate further using the password stored in the router`s local database and get VPN access. What I am trying to avoid is the ability for userA to authenticate usinghis own password but with certB and vice versa. Is there a way in IOS to lock the username for Phase 1.5 authentication to some field in the digital certificate?

I am sure this feature is available in the ASA, but what about the IOS? I am not very familiar with IKEv2 since my router does not support it, but if this is the only way to go, I might be able to find one.

I am also pasting some parts from my config:

aaa authentication login Mobile local
aaa authorization network Mobile local

crypto pki trustpoint PKI_TRUSTPOINT
enrollment terminal pem
usage ike
revocation-check none
rsakeypair Keypair 1024
! Here I found a command "authorization username subjectname ..." which I was unable to use for something fruitful.

crypto pki certificate map CERT-MAP 10
issuer-name co Test-CA

crypto isakmp policy 100
encr aes
group 2

crypto isakmp identity dn

crypto isakmp client configuration group TestGroup !Which matches the OU in the certificate
dns 192.168.117.1
pool MOBILEPOOL

crypto isakmp profile MOBILEPROFILE
match identity group MOBILEVPN
client authentication list Mobile
isakmp authorization list Mobile
client configuration address respond
virtual-template 200

Any help would be appreciated! Thank you in advance!

Cheers!

Jan Rolny · ‎05-05-2014

Hello,

It should be possible from Cisco IOS Release 12.4(9)T or later as described in this article:

http://www.cisco.com/c/en/us/support/docs/security/ios-sslvpn/116125-configure-SSLVPN-00.html

Step 4. Configure Certificate Map

A certificate map is used to classify incoming VPN client connections to specific WebVPN contexts. This classification is performed based on matching criteria configured in the certificate map. This configuration shows how to check for the OU field of the end-user certificate.

Router#configure terminal
Router(config)#crypto pki certificate map cert_map 10
Router(ca-certificate-map)# subject-name eq ou = sales
Router(ca-certificate-map)#!
Router(ca-certificate-map)#crypto pki certificate map ssl-vpn 10
Router(ca-certificate-map)# subject-name eq ou = finance
Router(ca-certificate-map)#exit
Router(config)#exit

Best regards,

Jan

Kristiyan Mladenov · ‎05-05-2014

Hello, Jan, and thank you!

This is a nice article that I have come across a while ago, but it is considering webvpn.

What I am trying to achieve is bonding between the username that the user provides in phase 1.5 (xauth) and some field (e.g. email) in the subject name of the certificate used in phase 1 of IPSec negotiation. The idea here is to stop userA with certA from authenticating with userB`s credentials.

I also didn`t mention that the VPN Client I am using is Cisco VPN Client 5

Cheers!

Cisco IOS Remote Access VPN matching the username from the Digital Certificate - is it possible?