Anyconnect SSL VPN2017-08-15
Here you can read about what you can do with certificate authentication in ssl vpn, that include certificate authentication, authorization and certificate mapping.
Managing SSL certificates
Generate a certificate signing request (CSR)
First create a directory where you will store a RSA key.
Then to generate a private key run the following command.
Create a CSR with the RSA private key.
The CSR contains information about a candidate which signed by private key. You have to provide that information in interactive prompt.
To verify your request exec following.
Request a certificate
Now you can get you cetificate from a certificate authority (CA). To do that with Microsoft Active Directory Certificate Services you need go to "Request a certificate" > "advanced certificate request" and pass output of your csr file to a form.
Also that obtained crt file can be converted to .pfx/.p12 format in case you need the certificate and the private key into a single encryptable file.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt
We need some certificates - one for a client site, one for ASA
Install certificates for client
For client side we need the CA and end-user certificates. To get CA from Microsoft Active Directory Certificate Services go "Download a CA certificate, certificate chain, or CRL" and download current CA certificate. Or if CA have intermediate SSL certificate you must have root CA certificate. To trust SSL certificate a certificate must have been issued by a CA that is included in the trusted store of your device.
To import CA certificate move *.crt files to /etc/ca-certificates/trust-source/anchors/. Then instead of update-ca-certificates, run trust extract-compat. Now you can find CA certificate int /etc/ca-certificates/extracted/cadir directory of your device.
Install certificates for server
ASA need to have Intermediate SSL certificates which depends on the SSL certificate chain you have from the root certificate to the vpn-client certificate (all between them). Apart from that we need to install ssl trust-point that represents to end users (a web page).
crypto ca certificate chain secure_Intermediate_trustpoint
certificate ca ...
The diagram below shows the lab topology.
Here we have ASA Version 9.1(7)16 which will been using for ssl vpn configuration, a cisco ISE Version 2.3, a radius server, a certificate authority server and a test machine with anyconnect client.
Define ise server parameters.
aaa-server ISE (inside) host 10.1.1.1
Define a default tunnel-group DefaulrWEBVPNGroup to users whiсh do not match any credentials we will define for SSL connections.
Generate external group-policy which will be stored on remote ISE server.
Create a tunnel-group to put there successfully authenticated and authorizated users.
tunnel-group SSL_ANYCONNECT_TG general-attributes
tunnel-group SSL_ANYCONNECT_TG webvpn-attributes
Where "authorization-required" command means require a successful authorization before allowing a user to connect. The default is not to require authorization. The User Principal Name (UPN) under "username-from-certificate" is only available through the Active Directory. Enterprise CAs place an entry, called a UPN, into each certificate.
Create a trustpoint with revoked certificates url referred to Certificate Revocation List (CRL) on remote for SSL VPN connection and one more for user representation.
url 1 http://10.1.1.1/CertEnroll/Root%20CA.crl
crypto ca trustpoint secure_trustpoint
Configure SSL encryption and trust-point.
ssl trust-point adm_secure_tech_TrustPoint
ssl trust-point adm_secure_tech_TrustPoint outside
Create a certifacte mapping to authenticated users by matching attributes from end-user certificate fields.
subject-name attr ou eq ssl user
Tell to ASA to utilize certificate mapping under webvpn. If conditions that are specified in SSL_MAP are met put user to SSL_ANYCONNECT_TG tunnel-group.
anyconnect image disk0:/anyconnect-win-4.5.00058-webdeploy-k9.pkg 4
anyconnect image disk0:/anyconnect-macos-4.5.00058-webdeploy-k9.pkg 5
anyconnect image disk0:/anyconnect-linux64-4.5.00058-webdeploy-k9.pkg 6
anyconnect profiles infrastructure disk0:/adm_profile.xml
certificate-group-map SSL_MAP 1 SSL_ANYCONNECT_TG
Allow some acceptable networks for validated clients in ACL, define ip-pool.
ip local pool RA-pool 10.1.0.1-10.2.0.253 mask 255.255.255.0
Go to Policy > Policy Sets. Create new policy with a conditions Device type EQUALS to Cisco ASA device and Radius·NAS-Port-Type EQUALS to virtual. Allowed Protocols - Anyconnect protocols.
Under Administration > Identity Managers > External Identity Sources create a Active Directory Domain Controller. Add groups with SIDs avalable in AD. Create Identity Source Sequence ADTL (Active Directory Then Local). A set of identity sources that will be accessed in sequence until first authentication succeeds. Set Active Directory Domain Controller to first position.
Go to Policy > Policy Elements > Authorization > Authorization Profiles to create remote profile for SSL VPN connection.
- Name - ssl_vpn_auth_profile
- Network Device Profile - Cisco
- Access Type = ACCESS_ACCEPT
- DACL = ssl_vpn_acl
- Class = OU=external_policy
- CVPN3000/ASA/PIX7x-Primary-DNS = 10.2.2.1
- CVPN3000/ASA/PIX7x-IPSec-Split-DNS-Names = vpn.example.com
- CVPN3000/ASA/PIX7x-Secondary-DNS = 10.2.2.2
- CVPN3000/ASA/PIX7x-IPSec-Split-Tunneling-Policy = 1
- CVPN3000/ASA/PIX7x-IPSec-Split-Tunnel-List = ssl_vpn_split_acl
- CVPN3000/ASA/PIX7x-Address-Pools = RA-pool
- CVPN3000/ASA/PIX7x-Simultaneous-Logins = 1
- CVPN3000/ASA/PIX7x-Tunneling-Protocols = 32
Next create Authorization Policy above of Default:
- if InternalUser·Name EQUALS to our external_policy then Results set to PermitAccess (Default Profile with access type as Access-Accept)
- if AD_Name·ExternalGroups EQUALS to one of the group we have defined previously (UPN from SSL certificate exists in AD group) then use ssl_vpn_auth_profile authorization profile
To bypass the authentication process on ISE create new authentication policy above of Default which will check the Tunnel-group name:
- Cisco-VPN3000·CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS SSL_ANYCONNECT_TG;
- Use - ADTL
- If Auth fail - CONTINUE, If User not found - CONTINUE, If Process fail - DROP