Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RA VPN Certificate matching on ASA 7.2(5)

Hello,

I want to map some VPN clients to a specific group. Matching is based on the CN field from the client's certificate.
Previously all was pretty fine but today I've got a very strange thing.

Client certificates on the IKE are not matched yet. This issue occurs only with one group - IT-VPN.
Here is a matching rules:

crypto ca certificate map IT-VPN 20
subject-name attr cn eq username1@domain
subject-name attr cn eq username2@domain
subject-name attr cn eq username3@domain
subject-name attr cn eq username4@domain

Matching parameters in the rules are exactly the same as in the CN filed from the client's certificate.

As client's certificate was not recognized by any existing groups client will be mapped to the DeafultRAGroup. This group is not configured.
So, VPN peer doesn't creates.

Here is output from ASA's syslog.

4 Nov 04 2010 15:43:20 717037 Tunnel group search using certificate maps failed for peer certificate    serial number: 1AD8C64F000000000166, subject name: cn=username1@domain,ou=IT,o=CompanyName,c=UA, issuer_name: cn=CANAME,dc=SOMETHING,dc=SOMETHING2.

I'm really confused about how to match client's certificates to the group. I've even tried to change matching rules from "EQ" to "CO" but without success.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: RA VPN Certificate matching on ASA 7.2(5)

Hi Maxim,

first of all, can you please clarify what you meant when you wrote "Previously all was pretty fine but today I've got a very strange thing" ?

What was working fine? VPN without cert mapping? Other cert map rules were working ok? Or was even this rule working ok and when you made some change to it it stopped working?

Anyway, I believe the problem is that a rule will only match if ALL conditions match.

So you will have to change to something like

 crypto ca certificate map IT-VPN 20
   subject-name attr cn eq username1@domain

 crypto ca certificate map IT-VPN 21
   subject-name attr cn eq username2@domain

 crypto ca certificate map IT-VPN 22
   subject-name attr cn eq username3@domain

 crypto ca certificate map IT-VPN 23
   subject-name attr cn eq username4@domain

Other than that, note that the cert map name should be the same for all rules, so if you already have something like

 crypto ca certificate map FOO-VPN 10
  subject-name attr cn eq otherusername@domain

then you should not define:

 crypto ca certificate map IT-VPN 20
  subject-name attr cn eq username1@domain

but:

 crypto ca certificate map FOO-VPN 20
  subject-name attr cn eq username1@domain

And of course you need to map the rules to a group:

  tunnel-group-map enable rules
  tunnel-group-map FOO-VPN 10 group1
  tunnel-group-map FOO-VPN 20 group2
  tunnel-group-map FOO-VPN 21 group2
  tunnel-group-map FOO-VPN 22 group2

etc.

hth

Herbert

3 REPLIES
Cisco Employee

Re: RA VPN Certificate matching on ASA 7.2(5)

Hi Maxim,

first of all, can you please clarify what you meant when you wrote "Previously all was pretty fine but today I've got a very strange thing" ?

What was working fine? VPN without cert mapping? Other cert map rules were working ok? Or was even this rule working ok and when you made some change to it it stopped working?

Anyway, I believe the problem is that a rule will only match if ALL conditions match.

So you will have to change to something like

 crypto ca certificate map IT-VPN 20
   subject-name attr cn eq username1@domain

 crypto ca certificate map IT-VPN 21
   subject-name attr cn eq username2@domain

 crypto ca certificate map IT-VPN 22
   subject-name attr cn eq username3@domain

 crypto ca certificate map IT-VPN 23
   subject-name attr cn eq username4@domain

Other than that, note that the cert map name should be the same for all rules, so if you already have something like

 crypto ca certificate map FOO-VPN 10
  subject-name attr cn eq otherusername@domain

then you should not define:

 crypto ca certificate map IT-VPN 20
  subject-name attr cn eq username1@domain

but:

 crypto ca certificate map FOO-VPN 20
  subject-name attr cn eq username1@domain

And of course you need to map the rules to a group:

  tunnel-group-map enable rules
  tunnel-group-map FOO-VPN 10 group1
  tunnel-group-map FOO-VPN 20 group2
  tunnel-group-map FOO-VPN 21 group2
  tunnel-group-map FOO-VPN 22 group2

etc.

hth

Herbert

New Member

Re: RA VPN Certificate matching on ASA 7.2(5)

Thank you for reply.

The scheme with "one map per user/certificate" works.

Previously I thought than one map name and many rules will help me. I've just thought that rules under map are OR-ed but as I can see rules are AND-ed.

Cisco Employee

Re: RA VPN Certificate matching on ASA 7.2(5)

Hi Maxim,

if the issue is resolved, please mark this thread as such, thanks!

Or if there's anything we can still help with, let us know.

cheers

Herbert

1077
Views
0
Helpful
3
Replies
CreatePlease login to create content