Technical and Product News and Insights from Rackspace
Certificate-based authentication is one of the most secure methods that Cisco AnyConnect provides to enable you to access VPN remotely with a one-time password (OTP).
After software version 8, Cisco® included a complete certificate authority (CA) solution in the firewall with a web front end. This post describes how to use the built-in CA server feature of Adaptive Security Appliance (ASA) to issue certificates to SSL clients and perform certificate-based authentication.
Use the following steps to implement certificate and OTP-based authentication for an existing AnyConnect® environment:
Perform the following steps to verify certificate-based authentication for AnyConnect remote access VPN:
Use the following commands to verify the current time:
show clock show ntp status
If time is not synced correctly, you need to match it with the external NTP server.
Issue the following commands to activate the local CA server, configure the lifetime, key size, certificate issuer, and create a strong passphrase to protect the local CA server. You can also configure the SMTP server used to send instructions to users for obtaining identity certificates.
crypto ca server lifetime ca-certificate 3650 lifetime certificate 365 keysize 2048 keysize server 2048 issuer-name CN=anyconnect certificate authentication no shutdown passphrase Cisco987
After you enable CA, use the following commands to create user accounts for all the users eligible to obtain an ASA identity certificate.
crypto ca server user-db add cert_user dn CN=cert_user ,OU=IT,O=exampleorganization crypto ca server user-db allow user cert_user display-otp
Take note of the OTP and keep it handy.
To download and import the certificate, browse to https://<firewall IP address>/+CSCOCA/+enroll log and log in with your username and OTP as shown in the following image.
Run the following commands to create a tunnel group where you are going to use the certificate-based authentication:
tunnel-group AnyConnect-TG-Cert type remote-access tunnel-group AnyConnect-TG-Cert general-attributes address-pool AnyConnect-Pool default-group-policy AnyConnect-GP
Run the following commands to change the VPN authentication to the certificate:
tunnel-group AnyConnect-TG-Cert webvpn-attributes authentication certificate
Run the following commands to create a certificate map to the tunnel group so ASA uses the right user connection profiles for users authenticating with identity certificates:
crypto ca certificate map Cert-MAP 100 subject-name attr ou eq IT webvpn certificate-group-map Cert-MAP 100 AnyConnect-TG-Cert
After you complete the preceding steps, the system will prompt users for certificate-based authentication when they connect to the VPN portal, as shown in the following image:
By using the steps in this post, you can easily configure certificate-based authentication for Cisco AnyConnect Remote access VPN and set up the authentication process with the built-in CA server. You can also use a third-party, paid CA server in production to meet the regulatory compliance and standard requirements.
Use the Feedback tab to make any comments or ask questions. You can also click Sales Chat to chat now and start the conversation.