Cisco ASA and VPN Client with certificate authentication (RSA-SIG)

Last time I wrote about PKI, NDES and setting up ASA to use these. I promised to talk about setting up remote access VPN with Cisco VPN client and certs. So, off we go…

At this point we have PKI in place and ASA filled with necessary certs. In order for RSA authentication to work, we need identity cert on VPN client itself. We of course need root CA and subordinate CA certs as well. There are several ways of obtaining these certs. Just to complete this part of the story, I will assume that all three cert are obtained via Windows AD Group Policy and auto enrollment feature, which is certainly the fastest way, once all is set up correctly. More about this later, but now let’s focus on setting ASA and VPN client.

First, let’s verify client cert that is issued to us by means of group policy.

As you can see this client cert is issued to user, myself in this case, and we have valid certification chain. Additionally, General tab should look like this:

Pay attention to validity period and make sure you have a private key that corresponds to this certificate. This may not be the case if, for example, we received this cert on one machine and exported it to another without exporting the private key.
Finally, in the Details tab, make sure that EKU field (Enhanced Key Usage) contains “Client Authentication” and OID

You can verify the identity cert and both CA certs from within IE or “Certification Manager” (certmgr) under “Certificate – Current User->Personal->Certificates”, for identity cert and under “Certificate – Current User->Trusted Root Certification Authorities->Certificates” for CA certs.

Now we may go on and set up a VPN connection:

The only thing worth mentioning on this screen is “Client Authentication” field with our just verified cert. We don’t use “Group Authentication”.

Finally, the ASA config. This is the whole ASA config which contains parts from previous article as well as the rest of needed stuf.
If you found this useful then it was worth writing 🙂

So, until the next time …

hostname ASA-POP
enable password x encrypted
passwd x encrypted
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server a.b.c.d
name-server e.f.g.h
object network NET-
object network IP-
access-list O_I extended permit icmp any object IP-
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool POOL1 mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
object network IP-
nat (inside,outside) static
access-group O_I in interface outside
route outside x.y.z.w 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS51_TACACS protocol tacacs+
aaa-server ACS51_TACACS (outside) host a.b.c.d
key *****
aaa-server ACS51_RADIUS protocol radius
aaa-server ACS51_RADIUS (outside) host a.b.c.d
key *****
user-identity default-domain LOCAL
aaa authentication ssh console ACS51_TACACS LOCAL
http server enable
http inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set TS1 esp-aes-256 esp-sha-hmac

crypto dynamic-map DYN 1000 set ikev1 transform-set TS1
crypto dynamic-map DYN 1000 set reverse-route

crypto map MAP 1000 ipsec-isakmp dynamic DYN
crypto map MAP interface outside

crypto ca trustpoint POPRAVAK-ROOT
enrollment terminal
keypair POPRAVAK
crl configure

crypto ca trustpoint POPRAVAK-SUB
enrollment url http://ndes:80/certsrv/mscep/mscep.dll
subject-name,OU=IT,L=Bijeljina,ST=RS,O=Popravak Ltd,C=BA
keypair POPRAVAK
crl configure

crypto ca certificate map DefaultCertificateMap 10

! This is for mapping incoming VPN connection to valid tunnel-group
! This could be avoided by using OU name of “Employees ” in the identity cert
! or by creating tunnel-group “direkcijait” on ASA instead of “Employees” but this way
! is a lot more fun :)
crypto ca certificate map Employees 10
subject-name attr ou co direkcijait

crypto ca certificate chain POPRAVAK-ROOT
certificate ca 72abbeee9dda408b41031a0703e7e2e2
30820365 3082024d a0030201 02021072 abbeee9d da408b41 031a0703 e7e2e230
… Lines omitted …..
eebaeeb5 cdbae6aa f4

crypto ca certificate chain POPRAVAK-SUB
certificate 61a66bea000000000033
3082078d 30820675 a0030201 02020a61 a66bea00 00000000 33300d06 092a8648
… Lines omitted …
54a61820 e7906475 dfeb68f5 95948c40 9d

certificate ca 617ebb7b000000000002
308206c4 308205ac a0030201 02020a61 7ebb7b00 00000000 02300d06 092a8648
… Lines omitted …
b1c09d51 d0644bde

crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400

! Enable IKE
crypto ikev1 enable outside

! This is the policy we are going to use
! Note that we are using certs (RSA-SIG) for authentication
crypto ikev1 policy 10
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400

telnet timeout 5
ssh inside
ssh outside
ssh timeout 5
ssh version 2
console timeout 0

dhcpd dns a.b.c.d e.f.g.h
dhcpd domain
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.y.z.w

! Minimum is choosing address pool
group-policy EMPLOYEES internal
group-policy EMPLOYEES attributes
address-pools value POOL1

username spop password x encrypted

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
authentication-server-group ACS51_TACACS
default-group-policy EMPLOYEES

! This is important: we need to specify trust point we wish to use
tunnel-group Employees ipsec-attributes
ikev1 trust-point POPRAVAK-SUB
! Because OU field in the cert does not matches any tunnel-groups we
! need to use cert maps
tunnel-group-map enable rules
tunnel-group-map Employees 10 Employees
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

This entry was posted in ASA, Certificates, Cisco, PKI, VPN and tagged , , , , . Bookmark the permalink.

2 Responses to Cisco ASA and VPN Client with certificate authentication (RSA-SIG)

  1. Marco Agnese says:

    This is great documentation. I am wondering if you have done the same configuration use AnyConnect Client instead.

    • Sasa says:

      Hi Marco!

      I had implementations with AnyConnect and two-way certificate authentication. I guess this is what you are talking about? I need some time to find the config and prepare it for blogging. Please be patient 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s