As Bruno mentioned, you can use certificate maps to do it on ASA crypto ca certificate map
tunnel-group-map enable rules tunnel-group-map to map the cert map. On the IOS, you configure a cert map and associate to the ISAKMP profiles crypto ca certificate map king 1 With regards Kings On Tue, Aug 3, 2010 at 7:08 PM, Bruno <[email protected]> wrote: > I think you can match any field on the certificate you want doing "crypto > ca certificate map NAME #number" and then if the user is using the field CN > to introduce itself, you can match it. Then, just enable the tunnel group > policy RULES and attach this certificate map to it. It would work fine > > > On Tue, Aug 3, 2010 at 8:33 AM, Kamran Shakil <[email protected]>wrote: > >> Dears, >> As i was practiing whole day today thru ACL on routers and ASA , i just >> got a question in my mind. >> >> Suppose if i have a VPN and a remote user is connecting , i have two >> options to give him for authentication ( preshare or certificate. ) >> >> If the remote person is not using preshare rather certificate and i wanna >> block some of my certificate users and allowing the rest of the users is it >> possible ? i heard cisco has made some technique for such scenarios..? >> >> Kingsly , Tyson ... anyone please ? :) >> >> regards, >> Kamran Shakil >> ITA NDC Operations Engineer >> Cisco - IT Advance Services Team >> MidEast Data Systems LLC Oman >> Cell: + 968 95804126 >> Office: + 968 24576640 >> >> Confidentiality Warning: "This message and any attachments are intended >> only for the use of the intended recipient(s), are confidential, and may be >> privileged. If you are not the intended recipient, you are hereby notified >> that any review, retransmission, conversion to hard copy, copying, >> circulation or other use of all or any portion of this message and any >> attachments is strictly prohibited. If you are not the intended recipient, >> please notify the sender immediately by return e-mail, and delete this >> message and any attachments from your system." >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
