AnyConnect certificate-based authentication. Cisco community

AnyConnect certificate-based authentication. Cisco community

👨‍💻

The information in this document is based on the following software and hardware versions:

ASA 5510 running software version 8.2 (2) and ASDM version 6.4 (9)

Anyconnect client version 3.0 (will work the same for versions prior to version 8.3)

Microsoft Windows 2003 server as the CA server for the scenario.

Since the ASA version in use is 8.2.x, we can enable Certificate Authentication for each tunnel group.

(Feature in ASA 8.2.x version, using pre-8.2.x ASA code, this will require to enable certificate authentication globally with the command

ssl certificate authentication interface <واجهة> outlet “).

In order to complete AnyConnect authentication using certificates, the AnyConnect client must obtain a valid certificate from the CA server, at

At the same time, the ASA must have the root CA certificate in order to properly validate the certificate of the connected client.

1-) Make sure you have AnyConnect image applied in your ASA firewall:

Configuration > Remote VPN Access > Network Access (Client) > AnyConnect Client Software

Click the “Add” button, and browse the flash for the appropriate image (optionally you can load the client from your local computer).

2-) Enable any connection in the external interface:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Check the box “Enable Cisco AnyConnect VPN Client or Legacy SSL Client”

Then select the interface that AnyConnect clients will connect to (in this example, the external interface).

The “Allow user to select connection profile” check option will allow the AnyConnect user to select the group they will connect to.

3-) Create a new AnyConnect connection profile:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Click the Add button, AnyConnect Connection Profile window will open.

Give the connection profile a name and optional group alias.

Click the Select button next to the Client Address Pools option.

The Select Address Pools window will appear.

Click the Add button to create a new address group.

4-) Create Group Policy:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Click the Manage button next to the Group Policy option in the connection profile.

Click the Add button to create the new policy.

Name the policy (in this example “AnyConnect-Policy”) and check the boxes “Clientless SSL VPN” and “SSL VPN Client”, then click the OK button.

The AnyConnect group was created at this point.

5-) Install CA Certificate in ASA:

The CA certificate must be downloaded from the CA server and installed in the ASA.

Complete these steps to download the CA certificate from the CA server.

Perform the web login to the CA server of the CA server with the help of the credentials provided to the VPN server.

Click Download CA Certificate, Certificate Chain, or CRL to open the window,

as shown. Click the Base 64 radio button as encryption method, and click Download CA Certificate.

Save the CA certificate with the name certnew.cer to your computer.

Go to Configuration > Remote Access VPN > Manage Certificates > CA Certificates in the ASA firewall.

Click the “Add” button, the “Install Certificate” window will open.

Click the “Browse” button next to the “Install from file” option.

Browse to the location where you saved the CA certificate, select the CA certificate and click the “Install” button.

At this point, the CA certificate will be installed in the ASA fiwall and will be able to validate the connected users, the user certificate generated from the same CA server.

6-) Go back to the AnyConnect connection profiles and change the profile to use Certificate Authentication:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Highlight the “AnyConnect-group” profile and click the Edit button.

“Edit AnyConnect Connection Profile” will open, then you will be able to select the authentication method to be “Certificate”

Click the OK button and then click Apply

(Remember to save the completed configuration)

7-) The next step will be to install the certificate into the AnyConnect client computer:

The user will need to log into the CA server with their credentials.

Once in the CA server, the user will need to click on the “Request a Certificate” option.

The user will want to select the “User Certificate” option.

At this point, the CA server will provide the user’s certificate to be installed.

Once the certificate is installed, the user will be able to connect the authenticated AnyConnect client to the pre-installed certificate

(You do not need to enter a username and password)

Below you will find what the configuration in the CLI should look like:

AnyConnect Local IP Pool 10.10.10.1-10.10.10.254 Mask 255.255.255.0

AnyConect Group Policy – Internal Policy

AnyConect-Policy Group Policy Attributes

vpn-tunnel-svc-protocol webvpn

AnyConnect group tunnel type remote access group

General Features of AnyConnect Tunnel Group

AnyConnect address pool

AnyConect-policy default group policy

Tunnel webvpn theme group AnyConnect

Authentication Certificate

Enable group alias AnyConnect

webvpn

Enable outside

svc0 disk image: /anyconnect-dart-win-2.5.6005-k9.pkg 1

enable svc

Enable Tunnel Group List

Cryptography California Trustpoint ASDM_TrustPoint0

deselect none

no usage id

recording station

Cryptography CA Authentication ASDM_TrustPoint0

MIIEtDCCA5ygAwIBAgIQcNSMRXs696JMHFgTc + OKPjANBgkqhkiG9w0BAQUFADBV

MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY3J0YWMxFjAU

BgoJkiaJk / IsZAEZFgZ2cG5sYWIxDzANBgNVBAMTBnZwbmxhYjAeFw0xMjA2MDUy

MDAyNThaFw0xNzA2MDUyMDExNTdaMFUxEzARBgoJkiaJk / IsZAEZFgNjb20xFTAT

BgoJkiaJk / IsZAEZFgVjcnRhYzEWMBQGCgmSJomT8ixkARkWBnZwbmxhYjEPMA0G

A1UEAxMGdnBubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Wo7

iCHElRUbgGAJgsf52AxlQLmeyMTSgS2I6 / hTCOmra5BkP4cUieSeWqnOAPYgGTj /

it3qGVLBjkjf2sHBUBHfIUm8nnQF2UNjTbJZVIfCAyrHoRXNDFNV6qlKFoMmi7VG

2CudXsbuC86LsFDTMkk2Y2UB / T1xUpf5TBX + uQDb7w4jIZs1DkpQBmE946lH8vyA

GHU6RdainLr / 44Sa0iPjzngMdssq0QlE / 8gYWr6HsAOvmKhf8RcokjqXEQ36JyAF

+ N/6sqoDTYl6jXg72PuoLO / zcmu8qbY + aRQGu5tlKXVemb9FyEKOuLe / Q4PirCz1

TUHw8urOHcHCquo5PwIDAQABo4IBfjCCAXowEwYJKwYBBAGCNxQCBAYeBABDAEEw

CwYDVR0PBAQDAgGGMA8GA1UdEwEB / wQFMAMBAf8wHQYDVR0OBBYEFNI2q3uAQNAg

nR + BfjqEcGUZaHoNMIIBEgYDVR0fBIIBCTCCAQUwggEBoIH + oIH7hoG7bGRhcDov

Ly9DTj12cG5sYWIsQ049dnBuLXNlcnZlci0wMSxDTj1DRFAsQ049UHVibGljJTIw

S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12

cG5sYWIsREM9Y3J0YWMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/

YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY7aHR0cDovL3Zw

bi1zZXJ2ZXItMDEudnBubGFiLmNydGFjLmNvbS9DZXJ0RW5yb2xsL3ZwbmxhYi5j

cmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEHyvayVbKqT

0rwZNFBC3GAnUCDCK3kJxyjvir + T2pcCVS5KLukhTcDtr5VBOrSGsFA + zJvqB7qS

dwAvh9tKjpdb6rQKM5bo7NKii7mU71WxK8 / wSupLMlNEZemvZcnaLKB2P5TGwJ0K

9LTp/rT89pvO9QbEMnRMPi0dPHQbu90sDLLBksxUfXII8qNyjjqNnVq2GDHX56Gz

DzltLTLnrL4Gb/1M9ulwO2bzNV9J7uVg6iELJDbzkHFaCNXTvQJyDsN41xETg54Y

uv6hViCXnu0SaaWi2rjVqx8pUXD7O3jrH9jnBC71cUqzv + MBvJI3th9iMMA80Gno

Rl0Ipuf7dYk =

Resigned

Hope this information is useful to you..

[ad_1]
Don’t forget to share this post with friends !