AnyConnect Certificate Based Authentication

As you know, nowadays it’s very popular to use tokens and certificates. Today’s article will run you through how to use the built-in CA (certificate authority) server feature of the ASA in order to issue certificates to SSL clients and perform certificate-based authentication. Of course, you can always use an external CA server in production.

Before we start, you should have already gone through the full-tunnel SSL VPN article, because that’s where I show you how to configure AnyConnect on ASA.

crypto ca server
lifetime ca-certificate 3650
lifetime certificate 365
keysize 2048
keysize server 2048
issuer-name CN=The CLI Geek
no shutdown passphrase passCisco
exit
crypto ca server user-db add tom-cert dn CN=tom-cert,OU=it,O=thecligeek
crypto ca server user-db allow user tom-cert
tunnel-group AnyConnect-TG-Cert type remote-access
tunnel-group AnyConnect-TG-Cert general-attributes
address-pool AnyConnect-Pool
default-group-policy AnyConnect-GP
tunnel-group AnyConnect-TG-Cert webvpn-attributes
group-alias "IT staff cert"
authentication certificate
crypto ca certificate map Cert-MAP 11
subject-name attr ou eq it
webvpn
certificate-group-map Cert-MAP 11 AnyConnect-TG-Cert
end
write memory

Verification
show crypto ca server
show crypto ca server cert-db
show crypto key mypubkey rsa
crypto ca server user-db show-otp user tom-cert
show clock
show ntp status

Debugging
debug crypto ca server

OK, let’s do it step-by-step.
First of all, make sure you have the correct time from a reliable source when using certificate-based authentication (show clock, show ntp status).
Next, we need to activate the local CA server, configure the lifetime, key size, issuer and a strong passphrase, which protects the local CA server. Optionally, you can configure the SMTP (Simple Mail Transfer Protocol) server used to send instructions to users about how to obtain identity certificates.
crypto ca server
lifetime ca-certificate 3650
lifetime certificate 365
keysize 2048
keysize server 2048
issuer-name CN=The CLI Geek
no shutdown passphrase passCisco

After the CA is enabled, we must create user accounts for all users eligible to obtain an identity certificate from ASA. Optionally, you can configure the user e-mail address to get the information from CA.
crypto ca server user-db add tom-cert dn CN=tom-cert,OU=it,O=thecligeek
crypto ca server user-db allow user tom-cert

We then create a tunnel group (connection profile) where we are going to use the certificate-based authentication(authentication certificate).
tunnel-group AnyConnect-TG-Cert type remote-access
tunnel-group AnyConnect-TG-Cert general-attributes
address-pool AnyConnect-Pool
default-group-policy AnyConnect-GP
tunnel-group AnyConnect-TG-Cert webvpn-attributes
group-alias "IT staff cert"
authentication certificate

Now, we need to create a map certificate to the connection profile, so that ASA can use appropriate connection profiles for users authenticating with identity certificates.
crypto ca certificate map Cert-MAP 11
subject-name attr ou eq it
webvpn
certificate-group-map Cert-MAP 11 AnyConnect-TG-Cert

That’s it! You’re done! But, you may ask, now what? Now, users are able to use the certificate. They can obtain their identity certificate using a web browser or AnyConnect client. Either way, before downloading the certificate, the user has to authenticate to the ASA by the previously defined username and a one-time password (OTP) generated by the ASA. The OTP can be sent to the user via e-mail or manually.
Once users completed the process of enrolling and installing the certificate, they will be able to log in using the certificate instead of a username and password.

9 thoughts on “AnyConnect Certificate Based Authentication”

  1. Hi Sergei,
    Thank you for a good article. I have a question about certificate revocation. It doesn’t work. Why?
    Thanks in advance.

    1. Hi Gabriel
      Because of this, certificate revocation is disabled by default. Thus, one way to resolve this problem is by entering this command revocation-check crl under the trustpoint (crypto ca trustpoint LOCAL-CA-SERVER) mode.

  2. Hi and thanks for the useful information.
    Do you know how can I allow the traffic between vpn clients?
    Thanks in advance.

    1. Do you have the nat exception?
      Something like that nat (outside,outside) source static AnyConnect AnyConnect destination static AnyConnect AnyConnect
      That should help you.

  3. Hello Serge,
    Can you use Radius server to auth usersname and password when configuring the ASA? and then configure the router using AAA?

    thanks you

    1. Hi Kelly
      You can do aaa and it’s really easy. Have a look at the commands:

      aaa-server profile-name protocol radius
      aaa-server profile-name (dmz) host IP key
      aaa authentication ssh console profile-name LOCAL
      aaa authorization command profile-name LOCAL
      aaa accounting enable console profile-name
      aaa accounting ssh console profile-name

      So, let me know if you need some help.

Leave a Reply

Your email address will not be published. Required fields are marked *