Solved: Differences when matching certificate rules.

albert_coll · ‎11-29-2009

Hello, im setting up an ASA5540 as a VPN IPSec concentrator.

I would like to know what is the difference between using the default certificate matching configuration, which is to keep rules disabled and Certificate Group Matching Policy that indicates to use the value of the OU in the subject distinguished name (DN).

no yunnel-group-map enable rules <-- (default setting)

tunnel-group map enable ou <-- (default setting)

Or enabling rules and specifying a matching rule that matches exactly OU attribute (example grouptest):

no tunnel-group-map enable ou

tunnel-group-map enable rules

!

crypto ca certificate map 1

subject-name attr ou eq grouptest

With the default configuration, the matching always succeeds. But when I enable rules and trying to match the ou manually, The matching always fail.

I include an subject excerpt from the client certificate:

Subject cn=ABCD

usertest,ou=GROUPTEST,o=xyz.test

Issuer

o=xyz.test

Kind regards.

kicharle · ‎11-30-2009

When you use IPSec with certificates, the peers send the IKE identity with hostname not the IP address in the IKE meesages. Hence you need a tunnel group matching the hostname that is being sent in the IKE messages.

If you want to match any parameters in the certificates, then you use tunnel-group rules and certificate maps. Let's say you need to match the "IP address" in the certificate. You define a certificate map matching the IP address and then create a tunnel-group that is mapped to the certificate map.

Please use the following command to map the certificate map to your customized tunnel-group.

tunnel-group-map

With regards

Kings

View solution in original post

kicharle · ‎11-30-2009

When you use IPSec with certificates, the peers send the IKE identity with hostname not the IP address in the IKE meesages. Hence you need a tunnel group matching the hostname that is being sent in the IKE messages.

If you want to match any parameters in the certificates, then you use tunnel-group rules and certificate maps. Let's say you need to match the "IP address" in the certificate. You define a certificate map matching the IP address and then create a tunnel-group that is mapped to the certificate map.

Please use the following command to map the certificate map to your customized tunnel-group.

tunnel-group-map

With regards

Kings

albert_coll · ‎12-01-2009

Thank you for your answer. The problem description was that when enabling rules, all my connection attempts were mapped to the DefautRAGroup instead of its specific group.

Finally, i located my problem and here is the answer. I had the following configuration:

!

crypto ca certificate map DefaultCertificateMap 10

issuer-name attr o eq xyz.test

...

crypto ca certificate map GROUPTEST 100

subject-name attr ou eq grouptest

...

tunnel-group-map DefaultCertificateMap 10 DefaultRAGroup

tunnel-group-map GROUPTEST 100 GROUPTEST

With such configuration, the mapping rule DefaultCertificateMap:

- Does not contain any “OU” matching rule. It only matches the issuer-name.

- Its sequence number (10) is lower than the “grouptest” map rule (100).

- It is mapped to the default group.

Under such configuration, every client connection attempt, regardless of its certificate ou field, was bounded to the DefaultRAGroup instead of its specific tunnel-group: The DefaultCertificateMap map rule was applied first because it had a lower seq number (10) than the others. Moreover, this rule does not contain any ou matching, only the issuer name. Therefore it always mapped successfully every connection attempt to the DefaultRAGroup because all my certificates include o=xyz.test

My solution:

I added the rule subject-name attr ou eq DefaultRAGroup to the crypto ca certificate map DefaultCertificateMap. Therefore, only the client certificates with ou=DefaultRAGroup will match this map rule, allowing thereby the inspection of all subsequent map rules.