AnyConnect certificate-based authentication. Cisco community
👨💻
The information in this document is based on the following software and hardware versions:
ASA 5510 running software version 8.2 (2) and ASDM version 6.4 (9)
Anyconnect client version 3.0 (will work the same for versions prior to version 8.3)
Microsoft Windows 2003 server as the CA server for the scenario.
Since the ASA version in use is 8.2.x, we can enable Certificate Authentication for each tunnel group.
(Feature in ASA 8.2.x version, using pre-8.2.x ASA code, this will require to enable certificate authentication globally with the command
ssl certificate authentication interface <واجهة> outlet
In order to complete AnyConnect authentication using certificates, the AnyConnect client must obtain a valid certificate from the CA server, at
At the same time, the ASA must have the root CA certificate in order to properly validate the certificate of the connected client.
1-) Make sure you have AnyConnect image applied in your ASA firewall:
Configuration > Remote VPN Access > Network Access (Client) > AnyConnect Client Software
Click the “Add” button, and browse the flash for the appropriate image (optionally you can load the client from your local computer).
2-) Enable any connection in the external interface:
Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles
Check the box “Enable Cisco AnyConnect VPN Client or Legacy SSL Client”
Then select the interface that AnyConnect clients will connect to (in this example, the external interface).
The “Allow user to select connection profile” check option will allow the AnyConnect user to select the group they will connect to.
3-) Create a new AnyConnect connection profile:
Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles
Click the Add button, AnyConnect Connection Profile window will open.
Give the connection profile a name and optional group alias.
Click the Select button next to the Client Address Pools option.
The Select Address Pools window will appear.
Click the Add button to create a new address group.
4-) Create Group Policy:
Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles
Click the Manage button next to the Group Policy option in the connection profile.
Click the Add button to create the new policy.
Name the policy (in this example “AnyConnect-Policy”) and check the boxes “Clientless SSL VPN” and “SSL VPN Client”, then click the OK button.
The AnyConnect group was created at this point.
5-) Install CA Certificate in ASA:
The CA certificate must be downloaded from the CA server and installed in the ASA.
Complete these steps to download the CA certificate from the CA server.
Perform the web login to the CA server of the CA server with the help of the credentials provided to the VPN server.
Click Download CA Certificate, Certificate Chain, or CRL to open the window,
as shown. Click the Base 64 radio button as encryption method, and click Download CA Certificate.
Save the CA certificate with the name certnew.cer to your computer.
Go to Configuration > Remote Access VPN > Manage Certificates > CA Certificates in the ASA firewall.
Click the “Add” button, the “Install Certificate” window will open.
Click the “Browse” button next to the “Install from file” option.
Browse to the location where you saved the CA certificate, select the CA certificate and click the “Install” button.
At this point, the CA certificate will be installed in the ASA fiwall and will be able to validate the connected users, the user certificate generated from the same CA server.
6-) Go back to the AnyConnect connection profiles and change the profile to use Certificate Authentication:
Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles
Highlight the “AnyConnect-group” profile and click the Edit button.
“Edit AnyConnect Connection Profile” will open, then you will be able to select the authentication method to be “Certificate”
Click the OK button and then click Apply
(Remember to save the completed configuration)
7-) The next step will be to install the certificate into the AnyConnect client computer:
The user will need to log into the CA server with their credentials.
Once in the CA server, the user will need to click on the “Request a Certificate” option.
The user will want to select the “User Certificate” option.
At this point, the CA server will provide the user’s certificate to be installed.
Once the certificate is installed, the user will be able to connect the authenticated AnyConnect client to the pre-installed certificate
(You do not need to enter a username and password)
Below you will find what the configuration in the CLI should look like:
AnyConnect Local IP Pool 10.10.10.1-10.10.10.254 Mask 255.255.255.0
AnyConect Group Policy – Internal Policy
AnyConect-Policy Group Policy Attributes
vpn-tunnel-svc-protocol webvpn
AnyConnect group tunnel type remote access group
General Features of AnyConnect Tunnel Group
AnyConnect address pool
AnyConect-policy default group policy
Tunnel webvpn theme group AnyConnect
Authentication Certificate
Enable group alias AnyConnect
webvpn
Enable outside
svc0 disk image: /anyconnect-dart-win-2.5.6005-k9.pkg 1
enable svc
Enable Tunnel Group List
Cryptography California Trustpoint ASDM_TrustPoint0
deselect none
no usage id
recording station
Cryptography CA Authentication ASDM_TrustPoint0
MIIEtDCCA5ygAwIBAgIQcNSMRXs696JMHFgTc + OKPjANBgkqhkiG9w0BAQUFADBV
MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY3J0YWMxFjAU
BgoJkiaJk / IsZAEZFgZ2cG5sYWIxDzANBgNVBAMTBnZwbmxhYjAeFw0xMjA2MDUy
MDAyNThaFw0xNzA2MDUyMDExNTdaMFUxEzARBgoJkiaJk / IsZAEZFgNjb20xFTAT
BgoJkiaJk / IsZAEZFgVjcnRhYzEWMBQGCgmSJomT8ixkARkWBnZwbmxhYjEPMA0G
A1UEAxMGdnBubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Wo7
iCHElRUbgGAJgsf52AxlQLmeyMTSgS2I6 / hTCOmra5BkP4cUieSeWqnOAPYgGTj /
it3qGVLBjkjf2sHBUBHfIUm8nnQF2UNjTbJZVIfCAyrHoRXNDFNV6qlKFoMmi7VG
2CudXsbuC86LsFDTMkk2Y2UB / T1xUpf5TBX + uQDb7w4jIZs1DkpQBmE946lH8vyA
GHU6RdainLr / 44Sa0iPjzngMdssq0QlE / 8gYWr6HsAOvmKhf8RcokjqXEQ36JyAF
+ N/6sqoDTYl6jXg72PuoLO / zcmu8qbY + aRQGu5tlKXVemb9FyEKOuLe / Q4PirCz1
TUHw8urOHcHCquo5PwIDAQABo4IBfjCCAXowEwYJKwYBBAGCNxQCBAYeBABDAEEw
CwYDVR0PBAQDAgGGMA8GA1UdEwEB / wQFMAMBAf8wHQYDVR0OBBYEFNI2q3uAQNAg
nR + BfjqEcGUZaHoNMIIBEgYDVR0fBIIBCTCCAQUwggEBoIH + oIH7hoG7bGRhcDov
Ly9DTj12cG5sYWIsQ049dnBuLXNlcnZlci0wMSxDTj1DRFAsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12
cG5sYWIsREM9Y3J0YWMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/
YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY7aHR0cDovL3Zw
bi1zZXJ2ZXItMDEudnBubGFiLmNydGFjLmNvbS9DZXJ0RW5yb2xsL3ZwbmxhYi5j
cmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEHyvayVbKqT
0rwZNFBC3GAnUCDCK3kJxyjvir + T2pcCVS5KLukhTcDtr5VBOrSGsFA + zJvqB7qS
dwAvh9tKjpdb6rQKM5bo7NKii7mU71WxK8 / wSupLMlNEZemvZcnaLKB2P5TGwJ0K
9LTp/rT89pvO9QbEMnRMPi0dPHQbu90sDLLBksxUfXII8qNyjjqNnVq2GDHX56Gz
DzltLTLnrL4Gb/1M9ulwO2bzNV9J7uVg6iELJDbzkHFaCNXTvQJyDsN41xETg54Y
uv6hViCXnu0SaaWi2rjVqx8pUXD7O3jrH9jnBC71cUqzv + MBvJI3th9iMMA80Gno
Rl0Ipuf7dYk =
Resigned
Hope this information is useful to you..
[ad_1]
Don’t forget to share this post with friends !
