I dug deeper into the intrinsic details of certificate processing and did the following that I thought would change the picture. But still no luck
1) Created the certificate map: crypto ca certificate map CERT-MAP 1 subject-name attr ou eq webvpn 2) Enabled the mapping rules tunnel-group-map enable rules 3) Configured certificate map to tunnel-group mapping tunnel-group-map CERT-MAP 1 WEBVPN Then what I see in the debugs drives me insane. It says the the peer cert was authorized by CERT-MAP and then the same certificate can not be authorized..... Arghhhh...... CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, issuer_name: cn=MS-ROOT-CA,ou=CCIE. CRYPTO_PKI: Processing map rules for CERT-MAP. CRYPTO_PKI: Processing map CERT-MAP sequence 1... CRYPTO_PKI: Match of subject-name attr field to map PASSED. Peer cert field: ou = WEBVPN, map rule: subject-name attr ou eq webvpn. CRYPTO_PKI: Peer cert has been authorized by map: CERT-MAP sequence: 1. CRYPTO_PKI: Ignoring match on map CERT-MAP, index 1 for WebVPN group map processing. No tunnel group is configured. CRYPTO_PKI: Peer cert could not be authorized with map: CERT-MAP. CRYPTO_PKI: No Tunnel Group Match for peer certificate. From: [email protected] [mailto:[email protected]] On Behalf Of Eugene Pefti Sent: Friday, June 22, 2012 5:20 PM To: ccie security Subject: [OSL | CCIE_Security] WebVPN on ASA with certificate based authentication - client connection doesn't land on the configured tunnel-group Folks, Up until now I always thought that by default when any VPN connection lands on the ASA one of the following condition always works, namely If this is a certificate based authentication then the OU in the certificate is used to match for the tunnel-group. Trying to prove it with different scenarios The portion of ASA config: ssl certificate-authentication interface OUT port 443 tunnel-group WEBVPN type remote-access tunnel-group WEBVPN general-attributes authorization-server-group ACS authorization-required username-from-certificate OU tunnel-group WEBVPN webvpn-attributes authentication certificate My test PC with a valid certificate connects via HTTP to the ASA and see the following: ASA1(config)# CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA<mailto:[email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA>, issuer_name: cn=MS-ROOT-CA,ou=CCIE. CRYPTO_PKI: No Tunnel Group Match for peer certificate Doesn't make sense to me because as you see the tunnel-group and the OU are identical. But if I change the ASA config to accept connection on the default WebVPN group everything seems to work smoothly, i.e. the ASA still complains that it can't find the tunnel group for the peer certificate but the connection is successful. This time we see that it lands on a default WEBVPN group and authentication goes through. CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA<mailto:[email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA>, issuer_name: cn=MS-ROOT-CA,ou=CCIE. CRYPTO_PKI: No Tunnel Group Match for peer certificate. Unable to locate tunnel group mapwebvpn_portal.c:ewaFormSubmit_webvpn_login[1964] ewaFormSubmit_webvpn_login: tgCookie = 0 ewaFormSubmit_webvpn_login: cookie = d619c9a0 ewaFormSubmit_webvpn_login: tgCookieSet = 0 ewaFormSubmit_webvpn_login: tgroup = NULL Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Success. webvpn_portal.c:http_webvpn_kill_cookie[682] webvpn_auth.c:http_webvpn_pre_authorize[2267] webvpn_auth.c:ssl_get_cert_user_field[4800] using client cert: name=(WEBVPN) Any ideas why it doesn't work with the user defined tunnel-group or my above understanding is only applicable to IPSec VPN with certificates? Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
