I came across this on a quick search earlier as well... you may want to check
it out if you have any issues with the match working when it should not.
http://www.mail-archive.com/[email protected]/msg06881.html
NM
From: [email protected]
[mailto:[email protected]] On Behalf Of Joshua Fedor
(US)
Sent: Tuesday, January 11, 2011 1:08 PM
To: Piotr Matusiak
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] PKI certificate matching on an ASA
Thanks this is the syntax I was looking for.
Josh
From: Piotr Matusiak [mailto:[email protected]]
Sent: Tuesday, January 11, 2011 1:07 PM
To: Joshua Fedor (US)
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] PKI certificate matching on an ASA
Hi,
I don't know about any dedicated doc for this feature but you can find
something useful in command reference at:
http://cisco.biz/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2223884<http://portal.mxlogic.com/redir/?1jKqejhPtVNYsqejqtTT7S7D4mjo0eQGmHMkPUo4Nz4aSFBfIT6kOSrjsSCL9UKHI4czXLN-5LOP_0U332OqqrbPP1K_nj7nj7nj7ndTdSJbNmDSrzapoKgGT2TQ1lo7OxZ9JE5zVkDOVJ5BYQsLCQkPhOMe7c8FK6TbCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0b0k6Cy2TND9SlJDVEwlStysE4jh1m1EwS1Ew41wgdPYfDwedECQPqtTT7S7C6nzv_V6oikJYV1Z>
Generally, the ASA matches tunnel-group based on OU in the client certificate.
If you want to use different tunnel-group and match it to specific attribute in
certificate subject name you must use cert map like:
crypto ca certificate map CERT_MAP 10
subject-name attr C eq US
!
tunnel-group-map CERT_MAP 10 TUN-GROUP
tunnel-group-map enable rules
HTH,
Piotr
2011/1/11 Joshua Fedor (US)
<[email protected]<mailto:[email protected]>>
Can anyone direct me to some documentation on certificate matching examples or
syntax on the ASA? I know this can be done with a certificate map on a router,
but is there a similar command on an ASA?
Thanks,
Josh
________________________________
Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee, you are
hereby notified that you have received this communication in error and that any
use or reproduction of this email or its contents is strictly prohibited and
may be unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it from your
computer. Thank you.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://portal.mxlogic.com/redir/?2DsQsCzCXPzUUQsCQXLKfIfe8ICM0kBL3RLzfBPt-KCeKCeKCeKrKrJqnyJfIT6kONsxlK5LE2GMfB3Wjrgb7OFfBPqbbVEVvdEFCzBwseohjsdKndwLQzh0qmMMc1kQg0qq818i3hEl6fIT6kONFtd40m0Edd45LzejIHrfPh0HIX4Vg8Cy2I3h1I3h0830wrDUvf0srjdFCQXLKfIfccL6XrVp>
________________________________
Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee, you are
hereby notified that you have received this communication in error and that any
use or reproduction of this email or its contents is strictly prohibited and
may be unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it from your
computer. Thank you.
This communication is the property of CLARKWESTERN Building Systems,Inc. and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have received
this communication in error, please immediately notify the sender by reply and
destroy all copies of the communication and any attachments.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
