AnyConnect Certificate Based Authentication

As you know, nowadays it’s very popular to use tokens and certificates. Today’s article will run you through how to use the built-in CA (certificate authority) server feature of the ASA in order to issue certificates to SSL clients and perform certificate-based authentication. Of course, you can always use an external CA server in production.

Before we start, you should have already gone through the full-tunnel SSL VPN article, because that’s where I show you how to configure AnyConnect on ASA.

crypto ca server lifetime ca-certificate 3650 lifetime certificate 365 keysize 2048 keysize server 2048 issuer-name CN=The CLI Geek no shutdown passphrase passCisco exit crypto ca server user-db add tom-cert dn CN=tom-cert,OU=it,O=thecligeek crypto ca server user-db allow user tom-cert tunnel-group AnyConnect-TG-Cert type remote-access tunnel-group AnyConnect-TG-Cert general-attributes address-pool AnyConnect-Pool default-group-policy AnyConnect-GP tunnel-group AnyConnect-TG-Cert webvpn-attributes group-alias "IT staff cert" authentication certificate crypto ca certificate map Cert-MAP 11 subject-name attr ou eq it webvpn certificate-group-map Cert-MAP 11 AnyConnect-TG-Cert end write memory

Verification
show crypto ca server show crypto ca server cert-db show crypto key mypubkey rsa crypto ca server user-db show-otp user tom-cert show clock show ntp status

Debugging
debug crypto ca server

OK, let’s do it step-by-step.
First of all, make sure you have the correct time from a reliable source when using certificate-based authentication (show clock, show ntp status).
Next, we need to activate the local CA server, configure the lifetime, key size, issuer and a strong passphrase, which protects the local CA server. Optionally, you can configure the SMTP (Simple Mail Transfer Protocol) server used to send instructions to users about how to obtain identity certificates.
crypto ca server lifetime ca-certificate 3650 lifetime certificate 365 keysize 2048 keysize server 2048 issuer-name CN=The CLI Geek no shutdown passphrase passCisco

After the CA is enabled, we must create user accounts for all users eligible to obtain an identity certificate from ASA. Optionally, you can configure the user e-mail address to get the information from CA.
crypto ca server user-db add tom-cert dn CN=tom-cert,OU=it,O=thecligeek crypto ca server user-db allow user tom-cert

We then create a tunnel group (connection profile) where we are going to use the certificate-based authentication(authentication certificate).
tunnel-group AnyConnect-TG-Cert type remote-access tunnel-group AnyConnect-TG-Cert general-attributes address-pool AnyConnect-Pool default-group-policy AnyConnect-GP tunnel-group AnyConnect-TG-Cert webvpn-attributes group-alias "IT staff cert" authentication certificate

Now, we need to create a map certificate to the connection profile, so that ASA can use appropriate connection profiles for users authenticating with identity certificates.
crypto ca certificate map Cert-MAP 11 subject-name attr ou eq it webvpn certificate-group-map Cert-MAP 11 AnyConnect-TG-Cert

That’s it! You’re done! But, you may ask, now what? Now, users are able to use the certificate. They can obtain their identity certificate using a web browser or AnyConnect client. Either way, before downloading the certificate, the user has to authenticate to the ASA by the previously defined username and a one-time password (OTP) generated by the ASA. The OTP can be sent to the user via e-mail or manually.
Once users completed the process of enrolling and installing the certificate, they will be able to log in using the certificate instead of a username and password.

9 thoughts on “AnyConnect Certificate Based Authentication”

Gabriel Favre says:

April 13, 2016 at 11:11 am

Hi Sergei,
Thank you for a good article. I have a question about certificate revocation. It doesn’t work. Why?
Thanks in advance.

Log in to Reply
1. Sergei says:
  
  April 13, 2016 at 1:59 pm
  
  Hi Gabriel
  Because of this, certificate revocation is disabled by default. Thus, one way to resolve this problem is by entering this command revocation-check crl under the trustpoint (crypto ca trustpoint LOCAL-CA-SERVER) mode.
  
  Log in to Reply
Chet says:

April 23, 2016 at 11:36 am

Hi and thanks for the useful information.
Do you know how can I allow the traffic between vpn clients?
Thanks in advance.

Log in to Reply
1. Sergei says:
  
  April 24, 2016 at 12:29 pm
  
  Do you have the nat exception?
  Something like that nat (outside,outside) source static AnyConnect AnyConnect destination static AnyConnect AnyConnect
  That should help you.
  
  Log in to Reply
moha says:

May 21, 2016 at 12:36 pm

Hi and thanks for the useful information.
can i do the same with cisco887va ?
thanks in advance.

Log in to Reply
1. Sergei says:
  
  May 21, 2016 at 1:19 pm
  
  Hi moha
  Yes, you can configure cisco887va as a “VPN concentrator” and CA server.
  You’re welcome.
  
  Log in to Reply
KELLY BERRY says:

August 26, 2016 at 4:16 pm

Hello Serge,
Can you use Radius server to auth usersname and password when configuring the ASA? and then configure the router using AAA?

thanks you

Log in to Reply
1. Sergei says:
  
  September 14, 2016 at 8:14 pm
  
  Hi Kelly
  You can do aaa and it’s really easy. Have a look at the commands:
  
  aaa-server profile-name protocol radius aaa-server profile-name (dmz) host IP key aaa authentication ssh console profile-name LOCAL aaa authorization command profile-name LOCAL aaa accounting enable console profile-name aaa accounting ssh console profile-name
  
  So, let me know if you need some help.
  
  Log in to Reply

9 thoughts on “AnyConnect Certificate Based Authentication”

Leave a Reply Cancel reply