Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Hardware Configuration(s)
Section 7 Confidentiality and Secure Access Config Files (/documents/configs/Section 7
Confidentiality And Secure Access Config Files.zip)
Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.
The configuration assumes that the previous Anyconnect SSL VPN task was
completed.
Task
Modify previous AnyConnect configuration to accomplish the following:
Use both certificate and username/password authentication.
The username should be automatically completed from the OU field of the certificate.
The username should not be visible to the connecting AnyConnect user.
Any incoming AnyConnect session with an OU of "ccielab" should be mapped to the
SSLVPN connection profile.
Use ASA4 as the CA server, enrolling the user test-user.
Overview
First we must activate the CA server on ASA and enroll the user; it is most important to specify the
OU value of ccielab. Modify the connection profile to use double authentication (both certificate
and username/password) using the command authentication certificate aaa, auto-complete
the username value from the certificate OU field using command
username-from-certificate OU, and hide the username in the AnyConnect window using the
command pre-fill-username ssl-client hide.
For an incoming IKE or SSL VPN session to be automatically mapped to a connection profile based
on certificate attributes, we must first enable the functionality with the command
tunnel-group-map enable rules. Then we must configure a certificate map that matches on
required certificate fields using the command crypto ca certificate map <NAME> <SQ_NR>.
Finally, we map SSL connections matching the configured rules to a connection profile at webvpn
level using the command
certificate-group-map <MAP_NAME> <SQ_NR> <CONNECTION_PROFILE>.
Configuration
ASA4:
crypto ca server
no shutdown
!
crypto ca server user-db add test-user dn CN=test-user.ine.com,OU=ccielab
crypto ca server user-db allow user test-user
!
username ccielab password CISCO1234
!
tunnel-group SSLVPN general-attributes
username-from-certificate OU
!
tunnel-group SSLVPN webvpn-attributes
authentication certificate aaa
pre-fill-username ssl-client hide
!
tunnel-group-map enable rules
crypto ca certificate map SSLVPN_MAP 10
subject-name attr ou eq ccielab
!
webvpn
certificate-group-map SSLVPN_MAP 10 SSLVPN
Verification
Find the OTP issued by the ASA for the test-pc user.
Install the client certificate and CA certificate using the procedure described in the PKI section.
When asked for the password that protects the private-key, enter the above OTP. After the
certificate is installed, ensure that it is valid by modifying the Windows system time accordingly.
Using AnyConnect, start the session to ASA; you will receive a prompt to enter the password for
the user ccielab.
Verify on the ASA that the session was mapped to the SSLVPN connection profile.
Rack1ASA4# show vpn-sessiondb anyconnect filter name ccielab