Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
3
Replies

Clientless VPN with selfsigned certificate problem

Jan Rolny
Level 3
Level 3

‎08-30-2012 04:11 AM

Hi all,

does anyone have experience with clientless VPN using selfsigned certificate?

I have selfsigned certificate generadted in openssl tool. I have CA certificate imported in ASA and associated appropriate trustpoint. Then I have client certificate signed by my CA and imported into my PC(client). I can see certificate is imported properly in system (screenshot).

certOK.PNG

When I go to webvpn login page IE browser prompt me for client certificate. I choose the correct one and then I got

Internet Explorer cannot display the webpage.  This is just when I configure certificate authentication on ASA.

When i create profile for LOCAL authentication (local user databse)  then I can login using this local user credentials.

Below is my config:

ASA Version 8.4(2)

!

hostname asa842

domain-name asa842

enable password xxx encrypted

passwd xxx encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address dhcp

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.0.0.1

domain-name asa842

pager lines 24

logging enable

logging timestamp

logging buffer-size 100000

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN_Pool 10.143.8.33-10.143.8.62 mask 255.255.255.224

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 8443

http 172.30.1.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint logosCA

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=asa842

crl configure

crypto ca certificate chain logosCA

certificate ca 00e01674de882061dc

    30820686 3082046e a0030201 02020900 e01674de 882061dc 300d0609 2a864886

    f70d0101 05050030 8188310b 30090603 55040613 02435a31 17301506 03550408

    ....

  quit

crypto ca certificate chain ASDM_TrustPoint0

certificate 42133f50

    308201d5 3082013e a0030201 02020442 133f5030 0d06092a 864886f7 0d010105

    0500302f 310f300d 06035504 03130661 73613834 32311c30 1a06092a 864886f7

    ......

  quit

telnet timeout 5

ssh 172.30.5.0 255.255.255.0 outside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl certificate-authentication interface outside port 443

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

default-domain value asa842

username xxx password xxx encrypted privilege 15

service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN_Pool

authorization-server-group LOCAL

username-from-certificate EA SER

tunnel-group DefaultWEBVPNGroup webvpn-attributes

authentication aaa certificate

radius-reject-message

pre-fill-username ssl-client

pre-fill-username clientless

group-alias Default enable

tunnel-group Clientless_SSL_VPN type remote-access

tunnel-group Clientless_SSL_VPN general-attributes

username-from-certificate EA SER

tunnel-group Clientless_SSL_VPN webvpn-attributes

authentication aaa certificate

pre-fill-username clientless

group-alias SSL_CERT enable

: end

It is testing environment and I am trying find out how to configure ASA for certificate authentication.

Thanks in advance for any idea

Jan

Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎09-04-2012 04:33 PM

Hi Jan,

May I know the steps you followed to install the certificate on the ASA?

Did you generate a CSR from the ASA?

"show run ssl" output?

"show crypto ca certificate" output?

"show crypto ca trustpoint" output?

Thanx.

Portu.

0 Helpful

Jan Rolny
Level 3
Level 3
In response to Javier Portuguez

‎09-05-2012 01:43 AM

Hi Portu,

I am not using selfsigned certificate generated by ASA. I have generated selfsigned certificate via openssl to simulate external CA.

asa842# sh run ssl
ssl certificate-authentication interface outside port 443


asa842# sh crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 42133f50
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    hostname=asa842.asa842
    cn=asa842
  Subject Name:
    hostname=asa842.asa842
    cn=asa842
  Validity Date:
    start date: 09:38:13 CEDT Aug 30 2012
    end   date: 09:38:13 CEDT Aug 28 2022
  Associated Trustpoints: ASDM_TrustPoint0

CA Certificate
  Status: Available
  Certificate Serial Number: 00e01674de882061dc
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    ea=test@test.cz
    cn=Client cert
    ou=IT
    o=IT
    l=Brno
    st=Czech Republic
    c=CZ
  Subject Name:
    ea=test@test.cz
    cn=Client cert
    ou=IT
    o=IT
    l=Brno
    st=Czech Republic
    c=CZ
  Validity Date:
    start date: 13:59:54 CEDT Aug 29 2012
    end   date: 13:59:54 CEDT Aug 29 2013
  Associated Trustpoints: logosCA

asa842# sh crypto ca trustpoints

Trustpoint logosCA:
    Subject Name:
    ea=test@test.cz
    cn=Client cert
    ou=IT
    o=IT
    l=Brno
    st=Czech Republic
    c=CZ
          Serial Number: 00e01674de882061dc
    Certificate configured.


Trustpoint ASDM_TrustPoint0:
    Configured for self-signed certificate generation.

Jan

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Jan Rolny

‎09-05-2012 05:38 AM

Good day Jan,

Please add the following command:

ssl trust-point ASDM_TrustPoint0 outside

You do not need the "ssl certificate-authentication interface outside port 443" so you could remove it.

Please let me know.

0 Helpful
Customers Also Viewed These Support Documents