CCIE Security V4 Technology Labs Section 7:

Confidentiality and Secure Access

ASA AnyConnect SSL VPN with Digital

Certificates
Last updated: May 20, 2013

Hardware Configuration(s)
Section 7 Confidentiality and Secure Access Config Files (/documents/configs/Section 7
Confidentiality And Secure Access Config Files.zip)

Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.

The configuration assumes that the previous Anyconnect SSL VPN task was
completed.

Task
Modify previous AnyConnect configuration to accomplish the following:
Use both certificate and username/password authentication.
The username should be automatically completed from the OU field of the certificate.
The username should not be visible to the connecting AnyConnect user.
Any incoming AnyConnect session with an OU of "ccielab" should be mapped to the
SSLVPN connection profile.
Use ASA4 as the CA server, enrolling the user test-user.

Overview
First we must activate the CA server on ASA and enroll the user; it is most important to specify the
OU value of ccielab. Modify the connection profile to use double authentication (both certificate
and username/password) using the command authentication certificate aaa, auto-complete
the username value from the certificate OU field using command
username-from-certificate OU, and hide the username in the AnyConnect window using the
command pre-fill-username ssl-client hide.
For an incoming IKE or SSL VPN session to be automatically mapped to a connection profile based
on certificate attributes, we must first enable the functionality with the command
tunnel-group-map enable rules. Then we must configure a certificate map that matches on
required certificate fields using the command crypto ca certificate map <NAME> <SQ_NR>.
Finally, we map SSL connections matching the configured rules to a connection profile at webvpn
level using the command
certificate-group-map <MAP_NAME> <SQ_NR> <CONNECTION_PROFILE>.

Configuration
ASA4:

crypto ca server
no shutdown
!
crypto ca server user-db add test-user dn CN=test-user.ine.com,OU=ccielab
crypto ca server user-db allow user test-user
!
username ccielab password CISCO1234
!
tunnel-group SSLVPN general-attributes
username-from-certificate OU
!
tunnel-group SSLVPN webvpn-attributes
authentication certificate aaa
pre-fill-username ssl-client hide
!
tunnel-group-map enable rules
crypto ca certificate map SSLVPN_MAP 10
subject-name attr ou eq ccielab
!
webvpn
certificate-group-map SSLVPN_MAP 10 SSLVPN

Verification
Find the OTP issued by the ASA for the test-pc user.

Rack1ASA4(config)# crypto ca server user-db show-otp user test-pc

Username: test-pc
OTP: C0D8B0972050157B
Enrollment Allowed Until: 17:59:53 UTC Sun May 19 2013
From the Test PC, browse to https://136.1.100.8/+CSCOCA+/enroll.html to download the client
certificate, and authenticate with the test-pc user and the above OTP.

Install the client certificate and CA certificate using the procedure described in the PKI section.
When asked for the password that protects the private-key, enter the above OTP. After the
certificate is installed, ensure that it is valid by modifying the Windows system time accordingly.
Using AnyConnect, start the session to ASA; you will receive a prompt to enter the password for
the user ccielab.

Verify on the ASA that the session was mapped to the SSLVPN connection profile.
Rack1ASA4# show vpn-sessiondb anyconnect filter name ccielab

Session Type: AnyConnect

Username : ccielab Index : 21

Assigned IP : 20.0.0.1 Public IP : 136.1.100.100
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : RC4 AES128 Hashing : none SHA1
Bytes Tx : 9414 Bytes Rx : 617
Group Policy : SSLVPN Tunnel Group : SSLVPN
Login Time : 18:53:35 UTC Thu May 16 2013
Duration : 0h:04m:25s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none