Remote-access Guide

asa remote access vpn certificate authentication

by Ariel Johnston Published 2 years ago Updated 2 years ago
image

Open ASDM > Configuration > Remote Access VPN > Certificate Management > CA Certificates and click Add. In the Install Certificate screen, click Browse and select the CA certificate which is previously downloaded from the CA server and click Install Certificate. Now you can set ASA to authenticate computers based on installed certificates.

Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Edit the profile you just created. Under Authentication section choose "Both". This will enable a username/password check and a certificate check.Sep 7, 2010

Full Answer

How do I set ASA to authenticate computers based on installed certificates?

Now you can set ASA to authenticate computers based on installed certificates. On ASDM, navigate to Network (Client) Access > AnyConnect Connection Profiles, select your AnyConnect Connection Profile and click Edit. In the Basic settings > Authentication, set the method to Certificate only.

How to configure cisco adaptive security appliance (Asa) VPN with EAP authentication?

Step 1. Install the CA certificate. Step 2. Configure the VPN connection. This document provides a configuration example for a Cisco Adaptive Security Appliance (ASA) Version 9.3.2 and later that allows remote VPN access to use Internet Key Exchange Protocol (IKEv2) with standard Extensible Authentication Protocol (EAP) authentication.

How do I set up a remote access VPN certificate?

Navigate to Configuration > Remote Access VPN > Certificate Management, and choose Identity Certificates . Click Add . Define a trustpoint name under Trustpoint Name. Click the Add a new identity certificate radio button. For the Key Pair, click New .

How do I set up AnyConnect certificate authentication?

On ASDM, navigate to Network (Client) Access > AnyConnect Connection Profiles, select your AnyConnect Connection Profile and click Edit. In the Basic settings > Authentication, set the method to Certificate only.

image

How do I add a certificate to ASA AnyConnect?

In ASDM select "Configuration" and then "Device Management." Click "Advanced" and then "SSL Settings." From "Certificates," choose the interface used to terminate WebVPN sessions, and then choose "Edit." From the "Certificate" drop-down, select the newly installed certificate, then "OK," and then "Apply."

What certificate does AnyConnect use?

The AnyConnect group have been created at this point. 5-) Install the CA certificate in the ASA: The CA certificate must be downloaded from the CA server and installed in the ASA. Complete these steps in order to download the CA certificate from the CA server.

Does AnyConnect require a certificate?

Since Anyconnect is based on SSL VPN, so the first time you try to connect , you get prompted with certificate on the ASA.

How do I get a certificate AnyConnect?

Perform the following steps to verify certificate-based authentication for AnyConnect remote access VPN:Verify the correct date and time. ... Activate and configure the local CA server. ... Create user accounts and a one-time password. ... Create a tunnel group. ... Create a map certificate. ... Connect to the VPN portal.

Where do I find my VPN certificate?

You can view the certificate by opening certmgr. msc, or Manage User Certificates.

How do I add a VPN certificate?

Step 2. Upload or create certificatesGo to the ADVANCED > Certificates page.Click Upload. Certificate Name – Enter VPN Certificate . Certificate Type – Select the type of certificate you want to upload. Add to VPN Certificates – Enable the checkbox. ... Click Save.

How do I renew Cisco AnyConnect VPN certificate?

It's quite easy:Generate a new named RSA pub/priv keypair of 2048 Bit.Configure a new trustpoint with the new labeled key.Generate a new CSR based on the new trustpoint.Get your new certificate with the CSR.Import the certificate into the trustpoint.Change the public interface to use the new trustpoint.Done!

What is certificate based VPN?

You can use certificates for authentication in both the policy-based and route-based VPNs. A certificate authority (CA) issues certificates as proof of identity. Gateways that form a VPN tunnel are configured to trust the CA that signed the other gateway's certificate.

How do I export a CA certificate from Cisco ASA?

Navigate to Configuration > Remote Access VPN > Certificate Management > Identity CertificatesClick Export.Choose a locate to export the file.Enter the Encryption Passphrase and confirm passphrase.

How do I view Cisco ASA certificates?

Open the Cisco ASDM, then Under the Remote Access VPN window pane, then in the Configuration tab, expand Certificate Management and click 'CA Certificates'.

How do I fix a VPN certificate error?

How do I fix VPN validation failure?Check the validity of your VPN certificate. Press the Windows and R keys on your device to open the Run tab and type in mmc then press Enter . ... Update your VPN certificate. Click on the magnifying glass icon from your Taskbar then type in certlm. ... Turn on OCSP Nonce on the Windows server.

How does SSL VPN Work?

An SSL tunnel VPN allows a web browser to securely access multiple network services that are not just web-based via a tunnel that is under SSL. These services could be proprietary networks or software built for corporate use only that cannot be accessed directly via the internet.

How do I add a VPN to Cisco AnyConnect?

ConnectOpen the Cisco AnyConnect app.Select the connection you added, then turn on or enable the VPN.Select a Group drop-down and choose the VPN option that best suits your needs.Enter your Andrew userID and password.Tap Connect.

How do I add a profile to AnyConnect secure mobility client?

Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. Choose Add. Give the profile a name. Choose the Umbrella Security Roaming Client type from the Profile Usage drop-down list.

Where is Cisco ASDM?

Complete the below steps. Now, launch the ASDM by typing "https://192.168.100.2" in the web browser of any PC which is in 192.168. 100.0 network. You should be able to access the ASA using the ASDM from that PC.

What version of ASDM is used in the ASA 5500-X?

This document uses an ASA 5500-X that runs software version 9.4.1 and ASDM version 7.4 (1).

How to view SSL certificates on GoDaddy?

After purchase and the initial setup phase of the SSL certificate, navigate to the GoDaddy Account and view the SSL Certificates. There must be a new certificate. Click Manage in order to proceed.

What is OpenSSL config?

OpenSSL makes use of the OpenSSL config file to pull the attributes to be used in the CSR generation. This process results in the generation of a CSR and a Private Key. Caution: Ensure that the Private key that is generated is not shared with anyone else as this might compromise the integrity of the certificate.

What is a CSR certificate?

Once the private/public Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated ( Appendix A details the difference between the use of RSA or ECDSA), a Certficate Signing Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains the public key and identity information of the requesting host. PKI Data Formats explains the different certificate formats applicable to the ASA and Cisco IOS ®.

Why use OpenSSL?

Use OpenSSL in order to generate the CSR and include the multiple SANs in the openssl.cnf file as shown in this section.

What is ECDSA compared to RSA?

This means that with ECDSA the same level of security as RSA can be achieved, but with smaller keys. This reduces computation time and increases the connection times for sites that use ECDSA certificates.

How to add a certificate to a PKCS12 file?

Click the Import the identity certificate from a file radio button. Enter the passphrase used to create the PKCS12 file. Browse and select the PKCS12 file. Enter the certificate passphrase. Click Add Certificate . Navigate to Configuration > Remote Access VPN > Advanced, and choose SSL Settings.

What do you need to do a revocation check on an ASA?

In order for ASA to be able to perform revocation check, you will need either CRL or OCSP set up on the ASA .

How to edit anyconnect profile?

On ASDM, navigate to Network (Client) Access > AnyConnect Connection Profiles, select your AnyConnect Connection Profile and click Edit.

Where to enter OCSP server URL?

In the Advanced tab > OCSP options, enter the OCSP server URL. In this example we use http://ad01.tayam.com/ocsp

Can ASA allow AnyConnect?

You can configure ASA to allow AnyConnect access only from the devices which have a certificate signed by your CA server installed on it. By doing this, you can restrict AnyConnect access to your corporate devices only.

Can AnyConnect VPN be used remotely?

In the previous few posts, I have set up AnyConnect VPN and LDAP authentication for AnyConnect. with LDAP authentication, you can control who can do remote access with AnyConnect however with LDAP configuration anyone who knows LDAP username and password can do remote access from any personal devices as long as AnyConnect client is installed on it.

Where does root certificate go after export?

Once the root certificate has been exported, go to ASDM.

Can AnyConnect certificate be authenticated?

At this point any computers which have the AnyConnect certificate installed in the user personal certificate store can authenticate. However, as you can see the ASA is bypassing revocation check, meaning the ASA is validating the certificate based on its existence only and not checking whether this certificate has been revoked or not.

What is EAP encapsulated in?

All subsequent EAP packets are encapsulated in IKE_AUTH. After the supplicant confirms the method (EAP-PEAP), it starts to build an Secure Sockets Layer (SSL) tunnel which protects the MSCHAPv2 session used for authentication.

Does AnyConnect support EAP?

If there is a need for a specific split tunnel policy, AnyConnect should be used. AnyConnect does not support standardized EAP methods which are terminated on the AAA server (PEAP, Transport Layer Security). If there is a need to terminate EAP sessions on the AAA server then the Microsoft client can be used.

image

Introduction

Prerequisites

  • Requirements
    This document requires access to a trusted third-party Certificate Authority (CA) for certificate enrollment. Examples of third-party CA vendors include, but are not limited to, Baltimore, Cisco, Entrust, Geotrust, G, Microsoft, RSA, Thawte, and VeriSign. Before you start, verify that the ASA h…
  • Components Used
    This document uses an ASA 5500-X that runs software version 9.4.1 and ASDM version 7.4(1). The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your netwo…
See more on cisco.com

Configure

  • The SSL protocol mandates that the SSL Server provide the client with a server certificate for the client to perform server authentication. Cisco does not recommend use of a self-signed certificate because of the possibility that a user could inadvertently configure a browser to trust a certificate from a rogue server. There is also the inconvenience to users to have to respond to a security w…
See more on cisco.com

Verify

  • Use these steps in order to verify successful installation of the third-party Vendor Certificate and use for SSLVPN connections.
See more on cisco.com

Frequently Asked Questions

  • 1. What is the best way to transfer identity certificates out of one ASA onto a different ASA?
    Export the certificate along with the keys to a PKCS12 file. Use this command in order to export the certificate via the CLI from the original ASA: Corresponding ASDM configuration: Use this command in order to import the certificate via CLI to the target ASA: Corresponding ASDM confi…
  • 2. How to generate SSL certificates for use with VPN Load Balancing ASAs?
    There are multiple methods that can be used to set up ASAs with SSL certificates for a VPN Load Balancing environment. 1. Use a single Unified Communications/Multiple Domains Certificate (UCC) which has the load-balancing FQDN as the DN and each of the ASA FQDNs as a separate …
See more on cisco.com

Troubleshoot

  • Troubleshooting Commands
    These debug commands are to be collected on the CLI in the case of an SSL Certificate Installation failure: debug crypto ca 255 debug crypto ca messages 255 debug crypto ca transactions 255
  • Common Issues
    Untrusted certificate warning when using a valid third-party SSL certificate on the external interface on ASA running 9.4(1) and later. Solution: This issue presents itself when an RSA keypair is used with the certificate. On ASA versions from 9.4(1) onwards, all the ECDSA and RSA cipher…
See more on cisco.com

Appendix

  • Appendix A: ECDSA or RSA
    The ECDSA algorithm is a part of the Elliptic curve cryptography (ECC) and uses an equation of an elliptic curve to generate a Public Key whereas the RSA algorithm uses the product of two primes plus a smaller number to generate the Public Key. This means that with ECDSA the same level o…
  • Appendix B: Use OpenSSL to Generate a PKCS12 Certificate from an Identity Certificate, CA Certi…
    1. Ensure that OpenSSL is installed on the system that this process is run on. For Mac OSX and GNU/Linux users, this will be installed by default. 2. Switch to a working directory.On Windows: By default, the utilities are installed in C:\Openssl\bin. Open a command prompt in this location.On …
See more on cisco.com

Related Information

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9