[c-nsp] ASA 5500 SSL VPN Auth
Ryan West
rwest at zyedge.com
Thu Dec 18 00:58:12 EST 2014
On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote:
> Subject: [c-nsp] ASA 5500 SSL VPN Auth
>
> Hi All,
>
> Been searching through the archives and haven't seen this setup, wondering
> if anyone has done this and has any pointers...
>
What pointers are you looking for? I've done a configuration like this before for Kiosks using a specific group-url, a cert enroll tunnel-group, and a certificate map to match the presented certificate against the device certificate on the ASA and issuing CA. Getting a device certificate on the ASA and importing CA are pretty easy. The bigger pain is at the certificate map. Here's a small example that should point you in the right direction.
crypto ca certificate map <name> 1
issuer-name attr cn eq <intermediate>
crypto ca certificate map <name> 2
issuer-name attr cn eq <root>
crypto ca certificate map <name> 3
issuer-name attr cn eq <full name>
I don't recall the crypto debugs now, but you can see where it's matching.
> I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active
> failover). To do auto-login without storing the username/password on the
> client machine I plan on deploying a PKI environment which the ASA's will
> then use for authenticating the end-points. The endpoints are required to
> have static IP's as well.
HTH
-ryan
More information about the cisco-nsp
mailing list