Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Defined list of certificates for WebVPNs and VPNs


Has anybody an idea how we can limit WebVPN or VPN connectivity to a defined list of certificates?

I want to use a certificate for VPN authentication. For example a Verisign, sorry Symantec certificate. :-) But I don't want to let anybody in the world haveing a Symantec certificate into my VPN. I only want to let in users with certificates with defined attributes. For example a list of defined serialnumbers or certificate with special company O-attributes, etc.

I tried to use connection profile maps. But certificates which fail with their attributes get stil access. They just get mapped to the defaultWebVPNgroup profile, although the "default to connection profile" policy has not been enabled. And BTW: It's not possible to make a profile which is not allowed to use any kind of VPN technology. So where do you default the failed connections?

Has anybody tried that and got a solution?



Cisco Employee

Re: Defined list of certificates for WebVPNs and VPNs

You can try configuring SimultaneousUsers=0 in DefaultWebVPNGroup. Since you already have the Cert maps configured the user can be pushed to defined Tunnel Groups and Group policies leaving DefaultTunnelGroup and DefaultGroupPolicy to trap all the unwanted users. Since you will have simultaneousUser=0 they will be denied connection.

However, did you try setting user authentication with certificates, that is also a good idea.

New Member

Re: Defined list of certificates for WebVPNs and VPNs

Well a clear "NoLoginAllowed" or none of the VPN protocols allowed would be nicer, rather than setting the number of allowed logins to 0. I think it should work, although it doesn’t at the moment in my lab. I have to find out why.

Trying around with the certificates I saw that accessing the WebVPN is always mapped to the "DefaultWebVPNGroup". No matter where the certificate mapping points to. Otherwise I would need to use aliases to allow the user to preselect the correct "Connection Profile". Unfortunately the certificate mapping allows only mapping a certificate to the "Connection Profile" but not to the "Group Policy".

Setting the number of SimultaneousUsers=0 on the "DfltGrpPolicy" and locking it to the "DefaultWebVPNGroup" would disable WebVPN usage at all. And specific mapping of certificates to a “Group Policy” is not supported. Just a mapping to a “Connection Profile” is supported.

What's the benefit of using aaa and certificates for authentication and authorization? As my security still depends only on the username/password used to login, meanwhile everyone with a certificate from the public CA would be allowed to try out username/passwords.

I need a way to authorize certificates with specific attributes. Otherwise certificate based authentication is only useful when the certificates come from a private, dedicated CA. Is there a way to authorize certificates externally? For example on an ACS?

CreatePlease login to create content