Certificate mapping to anyconnect tunnel-group I.

Posted on July 15, 2011

1



I try to configure the ASA to find the tunnel for anyconnect users according the certificate details.
The command look like following:

firewall(config)# crypto ca certificate map <certificate-map-name> <sequencenumber>
Where the sequencenumber is the Sequence to insert into certificate map entry
firewall(config)# webvpn
firewall(config-webvpn)# certificate-group-map <certificate-map-name> <certificate-map-index> <tunnel-group name>
Where the certificate-map-index is the index of the map entry to associate with the tunnel group

All right, but how are the index and the sequence number connected? Are they somehow. Lets test it!

On my certificate I got the following fields:

$ openssl x509 -in export_test.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xx:xx:xx
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=GMBH, DC=TEST, CN=TEST MS ROOT CA
Validity
Not Before: Oct 20 16:22:17 2010 GMT
Not After : Oct 20 16:32:17 2011 GMT
Subject: C=DE, ST=Bayern, L=München, O=Security, OU=Network, CN=Test2/emailAddress=test2@test.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
xxxxxx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
S/MIME Capabilities:

1. Login OK

crypto ca certificate map TestCM1 5
subject-name attr ea eq test2@test.de
issuer-name attr cn co rootwebvpn
certificate-group-map TestCM1 5 Anyconnecttest

2. Login OK

crypto ca certificate map TestCM1 5
subject-name attr ea eq test2@test.de
subject-name attr ea co dewebvpn
certificate-group-map TestCM1 5 Anyconnecttest

3. Login not OK

crypto ca certificate map TestCM1 5
issuer-name attr cn co root
subject-name attr ea eq test2@test.de1webvpn
certificate-group-map TestCM1 5 Anyconnecttest

All conditions under the same certificate map in the same sequencenumber must match.
The mail adress (test2@test.de1) with 1 at the end cannot be found in the certificate.

4. Login OK

crypto ca certificate map TestCM1 4
issuer-name attr cn eq test mc root ca
crypto ca certificate map TestCM1 5
subject-name attr ea eq test2@test.dewebvpn
certificate-group-map TestCM1 5 Anyconnecttest

5. Login Not OK

crypto ca certificate map TestCM1 4
subject-name attr ea eq test2@test.de1
crypto ca certificate map TestCM1 5
issuer-name attr cn co root
subject-name attr ea eq test2@test.dewebvpn
certificate-group-map TestCM1 4 Anyconnecttest

But not all conditions under the same certificate map under different sequencenumbers must match.
The sequencenumber does not mean here any sequence, this is just and index that we need to use in certificate-group-map command at the place of certificate-map-index.

Lets test it with a not existing index number:

firewall(config-webvpn)# certificate-group-map TestCM1 3 Anyconnecttest
ERROR: Certificate map TestCM1, or index 3, does not exist

That means that we need to use the certificate map name and the sequencenumber defined in ‘crypto ca certificate map’ command in the ‘certificate-group-map’ command for the certificate map name and for the index number in webvpn konfiguration mode.

If we use a new sequence number we need to define this in webvpn with the ‘certificate-group-map’ command as well.

For example:

crypto ca certificate map cm1 index1

crypto ca certificate map cm1 index2
…webvpn
certificate-group-map cm1 index1 tunnelname
certificate-group-map cm1 index2 tunnelname
Advertisements
Posted in: ASA, Cisco, Security, VPN