Re: [OSL | CCIE_Security] PKI certificate matching on an ASA

[Joshua Fedor (US)]

Thanks this is the syntax I was looking for.

Josh

From: Piotr Matusiak [mailto:pi...@howto.pl]
Sent: Tuesday, January 11, 2011 1:07 PM
To: Joshua Fedor (US)
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] PKI certificate matching on an ASA

Hi,

I don't know about any dedicated doc for this feature but you can find 
something useful in command reference at:
http://cisco.biz/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2223884

Generally, the ASA matches tunnel-group based on OU in the client certificate. 
If you want to use different tunnel-group and match it to specific attribute in 
certificate subject name you must use cert map like:

crypto ca certificate map CERT_MAP 10
subject-name attr C eq US
!
tunnel-group-map CERT_MAP 10 TUN-GROUP
tunnel-group-map enable rules


HTH,
Piotr



2011/1/11 Joshua Fedor (US) 
<joshua.fe...@us.didata.com<mailto:joshua.fe...@us.didata.com>>
Can anyone direct me to some documentation on certificate matching examples or 
syntax on the ASA?  I know this can be done with a certificate map on a router, 
but is there a similar command on an ASA?

Thanks,
Josh

________________________________

Disclaimer: This e-mail communication and any attachments may contain 
confidential and privileged information and is for use by the designated 
addressee(s) named above only. If you are not the intended addressee, you are 
hereby notified that you have received this communication in error and that any 
use or reproduction of this email or its contents is strictly prohibited and 
may be unlawful. If you have received this communication in error, please 
notify us immediately by replying to this message and deleting it from your 
computer. Thank you.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com>



-----------------------------------------
Disclaimer:

This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only.  If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful.  If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com