[c-nsp] ASA 5500 SSL VPN Auth

Kris Amy kris at amy.id.au
Thu Dec 18 02:26:08 EST 2014

Hi Ryan,

Thanks. That's where I was up to and got stuck. I got auth going no problem
but could not assign a specific IP to each end-point.

Got what I needed now it's working as expected.


On 17 December 2014 at 23:58, Ryan West <rwest at zyedge.com> wrote:
> On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote:
> > Subject: [c-nsp] ASA 5500 SSL VPN Auth
> >
> > Hi All,
> >
> > Been searching through the archives and haven't seen this setup,
> wondering
> > if anyone has done this and has any pointers...
> >
> What pointers are you looking for?  I've done a configuration like this
> before for Kiosks using a specific group-url, a cert enroll tunnel-group,
> and a certificate map to match the presented certificate against the device
> certificate on the ASA and issuing CA.  Getting a device certificate on the
> ASA and importing CA are pretty easy.  The bigger pain is at the
> certificate map.  Here's a small example that should point you in the right
> direction.
> crypto ca certificate map <name> 1
>   issuer-name attr cn eq <intermediate>
> crypto ca certificate map <name> 2
>   issuer-name attr cn eq <root>
> crypto ca certificate map <name> 3
>   issuer-name attr cn eq <full name>
> I don't recall the crypto debugs now, but you can see where it's matching.
> > I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active
> > failover). To do auto-login without storing the username/password on the
> > client machine I plan on deploying a PKI environment which the ASA's will
> > then use for authenticating the end-points. The endpoints are required to
> > have static IP's as well.
> -ryan

More information about the cisco-nsp mailing list