Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates

This section demonstrates how to configure the Cisco ASA to terminate Cisco VPN client IPSec connections using certificates. The configuration steps to configure remote-access VPNs using preshared keys are covered in Chapter 16, "Remote Access VPNs." Figure 17-7 illustrates the topology and components used in the following example.

Figure 17-7. Remote-Access VPN Using Certificates

In Figure 17-7, remote-access users using the Cisco VPN Client connect to the Cisco ASA to access the corporate internal resources in Chicago. The clients and the Cisco ASA obtain certificates from the CA server 209.165.202.130. The steps necessary to enroll the Cisco ASA to the CA server are the same as those demonstrated previously in this chapter. The following subsection demonstrates how to enroll the Cisco VPN with the CA server.

Enrolling the Cisco VPN Client

The Cisco VPN client has the ability to enroll to a CA server via either SCEP or manual (file based) enrollment. Click the Certificates tab on the VPN Client to configure the enrollment parameters. Figure 17-8 shows the Certificates tab of the Cisco VPN Client.

Figure 17-8. Cisco VPN Client Certificates Tab

Note

The Certificates tab toolbar is only viewable in advanced mode. Running the VPN Client in simple mode will not show these options. To change from simple mode to advanced mode, choose Options > Advanced Mode.

Note

To enroll and manage personal certificates in Cisco VPN Client version 3.x and earlier, use the Certificate Manager application included with the Client. This section concentrates on versions 4.x and later.

The Cisco VPN Client toolbar displays the tasks you can execute from the Certificates tab. Table 17-3 lists all the toolbar options and their usage.

Table 17-3. Cisco VPN Client Certificates Tab Toolbar Options

Option

Description

View

Shows the details of a selected certificate. Information includes validity period, issuer information, and distinguish name information such as CN, OU, O, etc.

Import

Used to import a certificate from a file or certificate store.

Export

Used to export a selected certificate.

Enroll

Used to begin enrollment process.

Verify

Used to check if the selected certificate is valid (not expired).

Delete

Deletes the selected certificate or certificate request

SCEP provides an easy mechanism to enroll the Cisco VPN Client. The following are the necessary steps to enroll the Cisco VPN Client via SCEP.

Step 1.

Click the Enroll button on the toolbar. The VPN Client Certificate Enrollment window is displayed, as shown in Figure 17-9.
 

Figure 17-9. Cisco VPN Client Certificate Enrollment Window

 

Step 2.

Select Online as the certificate enrollment type.
 

Step 3.

Enter the CA URL, domain, and challenge password (if applicable) and click Next. Various CA servers require the user to provide a password during enrollment. The Cisco VPN Client allows you to enter the password in the Challenge Password field. This password is provided by the CA administrator. The New Password option is used for the password that protects this certificate. If your connection entry requires certificate authentication, you must enter this password each time you connect.
 

Step 4.

The VPN Client Certificate Enrollment information form is displayed, as shown in Figure 17-10.
 

Figure 17-10. Cisco VPN Client Certificate Enrollment Form


This form allows you to enter the information to be included in the certificate request. After you enter the necessary information, click Enroll to send the certificate enrollment request to the CA server via SCEP. The following are the parameters you can specify on the certificate request:
 

- Name [CN] The unique common name (CN) for the user certificate. This can be the name of a user, system, or other entity. This field is required. The CN of RemoteUser is used in this example.
 

- Department [OU] Usually the name of the department to which the user belongs. SALES is used in this example.
 

Note

By default, the Cisco ASA matches the OU with the VPN group name. Other DN fields can also be used for this purpose.

- Company [O] The name of the company or organization to which the user belongs. secureme is used in this example.
 

- State [ST] The name of the state. Illinois (IL) is used in this example.
 

- Country [C] A two-letter country code. US is used in this example.
 

- Email [E] User's e-mail address (nobody@securemeinc.com is used in this example).
 

- IP Address The IP address of the user's system. It is recommended that you do not use this field if the system's IP address will change (for example, DHCP).
 

- Domain The domain name to which the user's system belongs. This example uses securemeinc.com.
 

Step 5.

The Cisco VPN Client sends the enrollment request to the CA server. After the certificate is granted, the Cisco VPN Client stores it on the Cisco certificate store, as shown in Figure 17-11.
 

Figure 17-11. Cisco VPN Client Certificate Information

 

Configuring the Cisco ASA

Complete the following steps after you have enrolled the Cisco ASA to the CA server. Example 17-23 shows the ISAKMP policy configuration of the Cisco ASA.

Example 17-23. ISAKMP Policy for Remote-Access VPN

isakmp identity hostname

isakmp enable outside

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

The shaded line in Example 17-23 shows how the ISAKMP authentication type is set to rsa-sig for certificate authentication.

Example 17-24 shows the crypto map configuration to dynamically terminate remote-access VPN client connections.

Example 17-24. Dynamic Crypto Map Configuration for Remote-Access VPN

crypto ipsec transform-set chicagotrans esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set chicagotrans

crypto map chicagomap 65525 ipsec-isakmp dynamic dynmap

crypto map chicagomap interface outside

The commands in Example 17-24 are the same as those covered in Chapter 16 while using preshared keys. Example 17-25 demonstrates the VPN tunnel-group configuration parameters.

Example 17-25. Tunnel-Group Configuration for Remote-Access VPN

tunnel-group SALES type ipsec-ra

tunnel-group SALES general-attributes

 address-pool ippool

 authentication-server-group LOCAL

tunnel-group SALES ipsec-attributes

 peer-id-validate cert

 trust-point chicago

The first shaded line in Example 17-25 makes the Cisco ASA validate the identity of the VPN client using the peer's certificate. The second shaded line associates the group with the configured trustpoint.

The name of the VPN group in Example 17-25 is SALES. This matches the OU value from the client's certificate. By default, the Cisco ASA binds the client connection to a specific group using the OU value. However, you can use any DN certificate information to associate the client to a respective group. This is similar to the Cisco VPN 3000 Concentrator certificate DN matching feature.

To configure the Cisco ASA to associate a VPN client connection using the peer's certificate DN information, you can use the tunnel-group-map command in combination with a certificate map. Example 17-26 demonstrates how to configure the Cisco ASA to associate any VPN clients on which its certificate has an e-mail address containing securemeinc.com to the VPN group named SALES.

Example 17-26. DN Matching Example

crypto ca certificate map 10

! A certificate map is created with a sequence number of 10

 subject-name attr ea co securemeinc.com

!The Cisco ASA is configured to match the email address (ea) of the client's

!certificate. Any certificates that contains securemeinc.com in the email address

 field will be associated to the specified group.

tunnel-group-map enable rules

! A tunnel-group-map is enabled to match the previously defined rules.

tunnel-group-map 10 SALES

!The certificate map 10 is associated to the VPN group SALES.

The following are all the available DN attributes available:

  • c Country
  • cn Common name
  • dnq DN qualifier
  • ea E-mail address
  • genq Generational qualifier
  • gn Given name
  • i Initials
  • ip IP address
  • l Locality
  • n Name
  • o Organization name
  • ou Organizational unit
  • ser Serial number
  • sn Surname
  • sp State/province
  • t Title
  • uid User ID
  • uname Unstructured name

The following are the operands that can be used with the subject-name subcommand under the certificate map:

  • co Contains
  • eq Equal
  • nc Does not contain
  • ne Not equal




Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net