Cisco IOS Remote Access VPN matching the username from the Digital Certificate - is it possible?
I have been trying to configure remote access VPN using digital certificates for authentication on some routers using IOS. What I want to do is authenticate the user based on the email in the subject in the certificate. The situation is as follows:
Imagine two users - userA and userB, having certs certA and certB. In my configuration so far I have an ISAKMP policy using digital signatures and a PKI trustpoint which uses external CA (OpenSSL) with no revocation check. Phase 1 goes OK and when userA(B) uses certA(B) he is able to get the Phase 1.5 prompt, authenticate further using the password stored in the router`s local database and get VPN access. What I am trying to avoid is the ability for userA to authenticate usinghis own password but with certB and vice versa. Is there a way in IOS to lock the username for Phase 1.5 authentication to some field in the digital certificate?
I am sure this feature is available in the ASA, but what about the IOS? I am not very familiar with IKEv2 since my router does not support it, but if this is the only way to go, I might be able to find one.
I am also pasting some parts from my config:
aaa authentication login Mobile local aaa authorization network Mobile local
crypto pki trustpoint PKI_TRUSTPOINT enrollment terminal pem usage ike revocation-check none rsakeypair Keypair 1024 ! Here I found a command "authorization username subjectname ..." which I was unable to use for something fruitful.
crypto pki certificate map CERT-MAP 10 issuer-name co Test-CA
crypto isakmp policy 100 encr aes group 2
crypto isakmp identity dn
crypto isakmp client configuration group TestGroup !Which matches the OU in the certificate dns 192.168.117.1 pool MOBILEPOOL
crypto isakmp profile MOBILEPROFILE match identity group MOBILEVPN client authentication list Mobile isakmp authorization list Mobile client configuration address respond virtual-template 200
Any help would be appreciated! Thank you in advance!
A certificate map is used to classify incoming VPN client connections to specific WebVPN contexts. This classification is performed based on matching criteria configured in the certificate map. This configuration shows how to check for the OU field of the end-user certificate.
This is a nice article that I have come across a while ago, but it is considering webvpn.
What I am trying to achieve is bonding between the username that the user provides in phase 1.5 (xauth) and some field (e.g. email) in the subject name of the certificate used in phase 1 of IPSec negotiation. The idea here is to stop userA with certA from authenticating with userB`s credentials.
I also didn`t mention that the VPN Client I am using is Cisco VPN Client 5
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :