AnyConnect Certificate Based Authentication

As you know, nowadays it’s very popular to use tokens and certificates. Today’s article will run you through how to use the built-in CA (certificate authority) server feature of the ASA in order to issue certificates to SSL clients and perform certificate-based authentication. Of course, you can always use an external CA server in production.

Before we start, you should have already gone through the full-tunnel SSL VPN article, because that’s where I show you how to configure AnyConnect on ASA.

crypto ca server
lifetime ca-certificate 3650
lifetime certificate 365
keysize 2048
keysize server 2048
issuer-name CN=The CLI Geek
no shutdown passphrase passCisco
exit
crypto ca server user-db add tom-cert dn CN=tom-cert,OU=it,O=thecligeek
crypto ca server user-db allow user tom-cert
tunnel-group AnyConnect-TG-Cert type remote-access
tunnel-group AnyConnect-TG-Cert general-attributes
address-pool AnyConnect-Pool
default-group-policy AnyConnect-GP
tunnel-group AnyConnect-TG-Cert webvpn-attributes
group-alias "IT staff cert"
authentication certificate
crypto ca certificate map Cert-MAP 11
subject-name attr ou eq it
webvpn
certificate-group-map Cert-MAP 11 AnyConnect-TG-Cert
end
write memory

Verification
show crypto ca server
show crypto ca server cert-db
show crypto key mypubkey rsa
crypto ca server user-db show-otp user tom-cert
show clock
show ntp status

Debugging
debug crypto ca server

OK, let’s do it step-by-step.
First of all, make sure you have the correct time from a reliable source when using certificate-based authentication (show clock, show ntp status).
Next, we need to activate the local CA server, configure the lifetime, key size, issuer and a strong passphrase, which protects the local CA server. Optionally, you can configure the SMTP (Simple Mail Transfer Protocol) server used to send instructions to users about how to obtain identity certificates.
crypto ca server
lifetime ca-certificate 3650
lifetime certificate 365
keysize 2048
keysize server 2048
issuer-name CN=The CLI Geek
no shutdown passphrase passCisco

After the CA is enabled, we must create user accounts for all users eligible to obtain an identity certificate from ASA. Optionally, you can configure the user e-mail address to get the information from CA.
crypto ca server user-db add tom-cert dn CN=tom-cert,OU=it,O=thecligeek
crypto ca server user-db allow user tom-cert

We then create a tunnel group (connection profile) where we are going to use the certificate-based authentication(authentication certificate).
tunnel-group AnyConnect-TG-Cert type remote-access
tunnel-group AnyConnect-TG-Cert general-attributes
address-pool AnyConnect-Pool
default-group-policy AnyConnect-GP
tunnel-group AnyConnect-TG-Cert webvpn-attributes
group-alias "IT staff cert"
authentication certificate

Now, we need to create a map certificate to the connection profile, so that ASA can use appropriate connection profiles for users authenticating with identity certificates.
crypto ca certificate map Cert-MAP 11
subject-name attr ou eq it
webvpn
certificate-group-map Cert-MAP 11 AnyConnect-TG-Cert

That’s it! You’re done! But, you may ask, now what? Now, users are able to use the certificate. They can obtain their identity certificate using a web browser or AnyConnect client. Either way, before downloading the certificate, the user has to authenticate to the ASA by the previously defined username and a one-time password (OTP) generated by the ASA. The OTP can be sent to the user via e-mail or manually.
Once users completed the process of enrolling and installing the certificate, they will be able to log in using the certificate instead of a username and password.

Leave a Reply

Your email address will not be published. Required fields are marked *