The users connects with Anyconnect client with IPSec to the ASA firewall.
Lets say we have 2 Certificate Authorities (with the issuername IssuerA and IssuerB) and the users are mapped to tunnel-groups according to the issuer.
A user called Terry Wood needs SSL as he works in a Hotel and the local proxy enables only http or https (and dns).
Terry has a certificate from IssuerB.
The question is: How can we map one user to an anyconnect profile that has ssl as the primary protocol and not IPSec?
Solution:
This is the path the config should work:
| user certificate -> certificate map -> tunnel group -> group policy -> anyconnect profile -> xml file that holds the config for the Protocol. |
Configuration:
certificate map
The better understand the config here, lets check out the 2 tables:
Table 1.
| crypto-ca-cert-map mode commands/options: c Country cn Common Name dc Domain Component dnq DN Qualifier ea Email Address genq Generational Qualifier gn Given Name i Initials ip IP Address l Locality n Name o Organization Name ou Organizational Unit ser Serial Number sn Surname sp State/Province t Title uid User ID uname Unstructured Name |
Table 2.
| crypto-ca-cert-map mode commands/options: co Contains eq Equal nc Does not contain ne Not Equal |
The configuration:
| crypto ca certificate map MyCM1 1 issuer-name attr cn co IssuerA crypto ca certificate map MyCM1 2 issuer-name attr cn co IssuerB subject-name nc terry wood crypto ca certificate map MyCM2 1 issuer-name attr cn co IssuerB subject-name co terry wood |
webvpn
| webvpn anyconnect profiles AnyconnectProfileIPSec disk0:/AnyconnectProfile.xml anyconnect profiles AnyconnectProfileSSL disk0:/AnyconnectProfileSSL.xmlcertificate-group-map MyCM1 1 AnyconnectIPSec certificate-group-map MyCM1 2 AnyconnectIPSec certificate-group-map MyCM2 1 AnyconnectSSL |
tunnel-group:
| tunnel-group AnyconnectIPSec type remote-access tunnel-group AnyconnectIPSec general-attributes address-pool vpn-pool1 default-group-policy MyPolicyIPSec tunnel-group AnyconnectIPSec webvpn-attributes authentication certificatetunnel-group AnyconnectSSL type remote-access tunnel-group AnyconnectSSL general-attributes address-pool vpn-pool2 default-group-policy MyPolicySSL tunnel-group AnyconnectSSL webvpn-attributes authentication certificate |
group-policy:
| group-policy MyPolicySSL internal group-policy MyPolicySSL attributes vpn-tunnel-protocol ssl-client ssl-clientless webvpn anyconnect profiles value AnyconnectProfileSSL type usergroup-policy MyPolicyIPSec internal group-policy MyPolicyIPSec attributes vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless webvpn anyconnect profiles value AnyconnectProfileIPSec type user |
itsecworks 
Posted on August 22, 2011
0