Anyconnect SSL VPN -

Anyconnect SSL VPN



    Here you can read about what you can do with certificate authentication in ssl vpn, that include certificate authentication, authorization and certificate mapping.

Managing SSL certificates

Generate a certificate signing request (CSR)

    First create a directory where you will store a RSA key.

mkdir ~/domain.ssl
cd ~/domain.ssl

    Then to generate a private key run the following command.

openssl genrsa -out privateKey.key 2048

     Create a CSR with the RSA private key.

openssl req -new -sha256 -key privateKey.key -out private.csr

    The CSR contains information about a candidate which signed by private key. You have to provide that information in interactive prompt.

    To verify your request exec following.

openssl req -noout -text -in private.csr

Request a certificate

    Now you can get you cetificate from a certificate authority (CA). To do that with Microsoft Active Directory Certificate Services you need go to "Request a certificate" > "advanced certificate request" and pass output of your csr file to a form.

    Also that obtained crt file can be converted to .pfx/.p12 format in case you need the certificate and the private key into a single encryptable file.

openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

    We need some certificates - one for a client site, one for ASA 

Install certificates for client

    For client side we need the CA and end-user certificates. To get CA from Microsoft Active Directory Certificate Services go "Download a CA certificate, certificate chain, or CRL" and download current CA certificate. Or if CA have intermediate SSL certificate you must have root CA certificate. To trust SSL certificate a certificate must have been issued by a CA that is included in the trusted store of your device.

    To import CA certificate move *.crt files to /etc/ca-certificates/trust-source/anchors/. Then instead of update-ca-certificates, run trust extract-compat. Now you can find CA certificate int /etc/ca-certificates/extracted/cadir directory of your device.

Install certificates for server

    ASA need to have Intermediate SSL certificates which depends on the SSL certificate chain you have from the root certificate to the vpn-client certificate (all between them).  Apart from that we need to install ssl trust-point that represents to end users (a web page).

crypto ca certificate chain secure_trustpoint
certificate ...
<output ommited>

crypto ca certificate chain secure_Intermediate_trustpoint
certificate ca ...
<output ommited>


Lab setup

        The diagram below shows the lab topology.


    Here we have ASA Version 9.1(7)16 which will been using for ssl vpn configuration, a cisco ISE Version 2.3, a radius server, a certificate authority server and a test machine with anyconnect client.

ASA configuration

    Define ise server parameters.

aaa-server ISE protocol radius
aaa-server ISE (inside) host
 key *****

    Define a default tunnel-group DefaulrWEBVPNGroup to users whiсh do not match any credentials we will define for SSL connections.

tunnel-group DefaulrWEBVPNGroup type remote-access

    Generate external group-policy which will be stored on remote ISE server.

group-policy external_policy external server-group ISE password *****

    Create a tunnel-group to put there successfully authenticated and authorizated users.

tunnel-group SSL_ANYCONNECT_TG type remote-access
tunnel-group SSL_ANYCONNECT_TG general-attributes
 authorization-server-group ISE
 default-group-policy external_policy
 username-from-certificate UPN
tunnel-group SSL_ANYCONNECT_TG webvpn-attributes
 authentication certificate

    Where "authorization-required" command means require a successful authorization before allowing a user to connect. The default is not to require authorization. The User Principal Name (UPN) under "username-from-certificate" is only available through the Active Directory. Enterprise CAs place an entry, called a UPN, into each certificate.

    Create a trustpoint with revoked certificates url referred to Certificate Revocation List (CRL) on remote for SSL VPN connection and one more for user representation.

crypto ca trustpoint secure_Intermediate_trustpoint
 revocation-check crl
 enrollment terminal
 crl configure
  url 1
  cache-time 1440
crypto ca trustpoint secure_trustpoint
 enrollment terminal
 keypair secure_trustpoint_key
 crl configure

    Configure SSL encryption and trust-point.

ssl encryption aes128-sha1 aes256-sha1
ssl trust-point adm_secure_tech_TrustPoint
ssl trust-point adm_secure_tech_TrustPoint outside

    Create a certifacte mapping to authenticated users by matching attributes from end-user certificate fields.

crypto ca certificate map SSL_MAP 1
 subject-name attr ou eq ssl user

    Tell to ASA to utilize certificate mapping under webvpn. If conditions that are specified in SSL_MAP are met put user to  SSL_ANYCONNECT_TG tunnel-group.

 enable outside
 anyconnect image disk0:/anyconnect-win-4.5.00058-webdeploy-k9.pkg 4
 anyconnect image disk0:/anyconnect-macos-4.5.00058-webdeploy-k9.pkg 5
 anyconnect image disk0:/anyconnect-linux64-4.5.00058-webdeploy-k9.pkg 6
 anyconnect profiles infrastructure disk0:/adm_profile.xml
 anyconnect enable
 certificate-group-map SSL_MAP 1 SSL_ANYCONNECT_TG

    Allow some acceptable networks for validated clients in ACL, define ip-pool.

access-list ssl_vpn_split_acl standard permit
ip local pool RA-pool mask

ISE configuration

    Go to Policy > Policy Sets. Create new policy with a conditions Device type EQUALS to Cisco ASA device and Radius·NAS-Port-Type EQUALS to virtual. Allowed Protocols - Anyconnect protocols.

    Under Administration > Identity Managers > External Identity Sources create a Active Directory Domain Controller. Add groups with SIDs avalable in AD. Create Identity Source Sequence  ADTL (Active Directory Then Local). A set of identity sources that will be accessed in sequence until first authentication succeeds. Set Active Directory Domain Controller to first position.

    Go to Policy > Policy Elements > Authorization > Authorization Profiles to create remote profile for SSL VPN connection.

  • Name - ssl_vpn_auth_profile
  • Network Device Profile - Cisco
  • Access Type = ACCESS_ACCEPT
  • DACL = ssl_vpn_acl
  • Class = OU=external_policy
  • CVPN3000/ASA/PIX7x-Primary-DNS =
  • CVPN3000/ASA/PIX7x-IPSec-Split-DNS-Names =
  • CVPN3000/ASA/PIX7x-Secondary-DNS =
  • CVPN3000/ASA/PIX7x-IPSec-Split-Tunneling-Policy = 1
  • CVPN3000/ASA/PIX7x-IPSec-Split-Tunnel-List = ssl_vpn_split_acl
  • CVPN3000/ASA/PIX7x-Address-Pools = RA-pool
  • CVPN3000/ASA/PIX7x-Simultaneous-Logins = 1
  • CVPN3000/ASA/PIX7x-Tunneling-Protocols = 32

    Next create Authorization Policy above of Default:

  • if InternalUser·Name EQUALS to our external_policy then Results set to PermitAccess (Default Profile with access type as Access-Accept)
  • if AD_Name·ExternalGroups EQUALS to one of the group we have defined previously (UPN from SSL certificate exists in AD group) then use ssl_vpn_auth_profile authorization profile

    To bypass the authentication process on ISE create new authentication policy above of Default which will check the Tunnel-group name:

  • Cisco-VPN3000·CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS SSL_ANYCONNECT_TG;
  • Use - ADTL
  • If Auth fail - CONTINUE, If User not found - CONTINUE, If Process fail - DROP


Leave a Comment: