Solved

AnyConnect VPN with Certificate Authentication

Posted on 2014-04-15
8
5,907 Views
1 Endorsement
Last Modified: 2014-04-24
Can someone shed some light on how to set up VPN Access with Certificate Authentication? ASA 5505 8.2 with AnyConnect Essentials License and Mobile License.
1
Comment
Question by:Strinalena
  • 4
  • 3
8 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
ID: 40003759
Good to understand the licence aspects in what they support (or scope within). One key pt for the Essential Licence is without clientless SSL VPN (this is via the Web portal). In other words,  VPN is via the Anyconnect client installed, no web portal access (clientless). Only Premium Licence support both. Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

Also for ASA 5505, it supports up to 25 simultaneous user vpn peers / session. Additionally, you can also use this licence with the AnyConnect Mobile licence for access from mobile devices like phones or tablets, this licence is an additional purchase. Overall, the “show version” will list what is available and state of the licence in the ASA

For the setup aspects, there are actually steps in CLI. But specific to the authentication type, using the certificate can be configured at the IPSec level where you need to create an ISAKMP policy in the connection profile. Pls see here and specifically on below section
"Determining an ID Method for ISAKMP Peers";
"Configuring Certificate Group Matching"

For mobile aspects, AnyConnect 3.1 is not available for mobile devices. However, you can continue to use the ASA to deploy AnyConnect 2.5 or earlier clients that do support mobile devices, even after loading the AnyConnect 3.1 package files to the ASA for web deployment. See the AnyConnect Secure Mobility Client Administrator Guides from AnyConnect 2.5, and earlier, for information about configuring the ASA to deploy AnyConnect for mobile devices.

Overall, the ADSM may be easier (hopefully). You can catch the steps here as based on 2.3 as references.

Rather tough to state all steps but hopefully the above can sum up to kickstart exploration into the approach, most of CISCO documentation should be already available in the links above.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 167 total points
ID: 40005152
When it comes down to it, to use certificate authentication you need to install the CA root (and any intermediate certificates if needed). Then install an identity certificate on the ASA signed by the root CA. Then you configure vpn access as normal, except that the authentication method is certificate. You will need to specific which trusted root certificate to base this off of (which is set globally, see attached image), and from there the clients just need to provide a certificate that was signed by the trusted root that the ASA uses.

I had to do a fair amount of playing around before I got this to work, but once it works, it's really slick. No more entering un/pw, and then you can start setting profiles to auto connect and do trusted network detection without being super annoying.

My experience is all on IOS 9.1, so I don't know if this process is the same or as easy on 8.2. I would highly recommend that you upgrade to 8.4 or later, but this may require additional hardware and will certainly require time to make the necessary config changes.
asacertselect.jpg
0
 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
ID: 40005847
0
 

Author Comment

by:Strinalena
ID: 40019376
Thanks Guys! Will do my best to follow your guides. Apologies for the delay.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Strinalena
ID: 40019528
Can I Just confirm - the Authentication will only work if the ASA has a certificate signed by a CA, the root certificate from the same CA.

What about the client - in our case - an IPhone - does it need to have a personal certificate as well? If yes - how can this be achieved?
0
 
LVL 61

Expert Comment

by:btan
ID: 40019569
Yes as ASA also need to validate that it is valid cert

Bu tdo note that if you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights for the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either. You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate. You can find out more below

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1115206

For iPhone , yes user cert as well

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/iphone-user/guide/iphone-anyconnect-ug-24.html#wp49157
0
 

Author Comment

by:Strinalena
ID: 40019607
thanks a lot!
0
 
LVL 61

Expert Comment

by:btan
ID: 40019771
you welcome, glad to have helped
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now