Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
0
Helpful
3
Replies

RA VPN Certificate matching on ASA 7.2(5)

Go to solution
MaximBudyonny
Level 1
Level 1

‎11-04-2010 10:20 AM

Hello,

I want to map some VPN clients to a specific group. Matching is based on the CN field from the client's certificate.
Previously all was pretty fine but today I've got a very strange thing.

Client certificates on the IKE are not matched yet. This issue occurs only with one group - IT-VPN.
Here is a matching rules:

crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
subject-name attr cn eq username2@domain
subject-name attr cn eq username3@domain
subject-name attr cn eq username4@domain

Matching parameters in the rules are exactly the same as in the CN filed from the client's certificate.

As client's certificate was not recognized by any existing groups client will be mapped to the DeafultRAGroup. This group is not configured.
So, VPN peer doesn't creates.

Here is output from ASA's syslog.

4 Nov 04 2010 15:43:20 717037 Tunnel group search using certificate maps failed for peer certificate    serial number: 1AD8C64F000000000166, subject name: cn=username1@domain,ou=IT,o=CompanyName,c=UA, issuer_name: cn=CANAME,dc=SOMETHING,dc=SOMETHING2.

I'm really confused about how to match client's certificates to the group. I've even tried to change matching rules from "EQ" to "CO" but without success.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-08-2010 03:52 AM

Hi Maxim,

first of all, can you please clarify what you meant when you wrote "Previously all was pretty fine but today I've got a very strange thing" ?

What was working fine? VPN without cert mapping? Other cert map rules were working ok? Or was even this rule working ok and when you made some change to it it stopped working?

Anyway, I believe the problem is that a rule will only match if ALL conditions match.

So you will have to change to something like

 crypto ca certificate map IT-VPN 20
   subject-name attr cn eq username1@domain

 crypto ca certificate map IT-VPN 21
   subject-name attr cn eq username2@domain

 crypto ca certificate map IT-VPN 22
   subject-name attr cn eq username3@domain

 crypto ca certificate map IT-VPN 23
   subject-name attr cn eq username4@domain

Other than that, note that the cert map name should be the same for all rules, so if you already have something like

 crypto ca certificate map FOO-VPN 10
  subject-name attr cn eq otherusername@domain

then you should not define:

 crypto ca certificate map IT-VPN 20
  subject-name attr cn eq username1@domain

but:

 crypto ca certificate map FOO-VPN 20
  subject-name attr cn eq username1@domain

And of course you need to map the rules to a group:

  tunnel-group-map enable rules
  tunnel-group-map FOO-VPN 10 group1
  tunnel-group-map FOO-VPN 20 group2
  tunnel-group-map FOO-VPN 21 group2
  tunnel-group-map FOO-VPN 22 group2

etc.

hth

Herbert

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-08-2010 03:52 AM

Hi Maxim,

first of all, can you please clarify what you meant when you wrote "Previously all was pretty fine but today I've got a very strange thing" ?

What was working fine? VPN without cert mapping? Other cert map rules were working ok? Or was even this rule working ok and when you made some change to it it stopped working?

Anyway, I believe the problem is that a rule will only match if ALL conditions match.

So you will have to change to something like

 crypto ca certificate map IT-VPN 20
   subject-name attr cn eq username1@domain

 crypto ca certificate map IT-VPN 21
   subject-name attr cn eq username2@domain

 crypto ca certificate map IT-VPN 22
   subject-name attr cn eq username3@domain

 crypto ca certificate map IT-VPN 23
   subject-name attr cn eq username4@domain

Other than that, note that the cert map name should be the same for all rules, so if you already have something like

 crypto ca certificate map FOO-VPN 10
  subject-name attr cn eq otherusername@domain

then you should not define:

 crypto ca certificate map IT-VPN 20
  subject-name attr cn eq username1@domain

but:

 crypto ca certificate map FOO-VPN 20
  subject-name attr cn eq username1@domain

And of course you need to map the rules to a group:

  tunnel-group-map enable rules
  tunnel-group-map FOO-VPN 10 group1
  tunnel-group-map FOO-VPN 20 group2
  tunnel-group-map FOO-VPN 21 group2
  tunnel-group-map FOO-VPN 22 group2

etc.

hth

Herbert

0 Helpful

Go to solution
MaximBudyonny
Level 1
Level 1
In response to Herbert Baerten

‎11-08-2010 07:53 AM

Thank you for reply.

The scheme with "one map per user/certificate" works.

Previously I thought than one map name and many rules will help me. I've just thought that rules under map are OR-ed but as I can see rules are AND-ed.

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to MaximBudyonny

‎11-08-2010 11:29 AM

Hi Maxim,

if the issue is resolved, please mark this thread as such, thanks!

Or if there's anything we can still help with, let us know.

cheers

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents