OU matching is only applicable for IPSec. With WebVPN, you need to either use group-url or group-alias for landing on the tunnel-group.
Your configuration, enables double authentication. Certificate authentication and PKI User authentication from OU. With regards Kings On Sat, Jun 23, 2012 at 6:18 AM, Eugene Pefti <[email protected]>wrote: > I dug deeper into the intrinsic details of certificate processing and > did the following that I thought would change the picture. But still no luck > **** > > ** ** > > **1) **Created the certificate map:**** > > *crypto ca certificate map CERT-MAP 1* > > *subject-name attr ou eq webvpn* > > ** ** > > **2) **Enabled the mapping rules**** > > *tunnel-group-map enable rules* > > ** ** > > **3) **Configured certificate map to tunnel-group mapping **** > > *tunnel-group-map CERT-MAP 1 WEBVPN* > > ** ** > > Then what I see in the debugs drives me insane. It says the the peer cert > was authorized by CERT-MAP and then the same certificate can not be > authorized.....**** > > Arghhhh......**** > > ** ** > > CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: > 7AB09A3B000000000005, subject name: > [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, > issuer_name: cn=MS-ROOT-CA,ou=CCIE.**** > > CRYPTO_PKI: Processing map rules for CERT-MAP.**** > > CRYPTO_PKI: Processing map CERT-MAP sequence 1...**** > > CRYPTO_PKI: Match of subject-name attr field to map PASSED. Peer cert > field: ou = WEBVPN, map rule: subject-name attr ou eq webvpn.**** > > CRYPTO_PKI: *Peer cert has been authorized by map: CERT-MAP sequence: 1.* > > CRYPTO_PKI: Ignoring match on map CERT-MAP, index 1 for WebVPN group map > processing. No tunnel group is configured.**** > > CRYPTO_PKI: *Peer cert could not be authorized with map: CERT-MAP*.**** > > CRYPTO_PKI: No Tunnel Group Match for peer certificate.**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eugene Pefti > *Sent:* Friday, June 22, 2012 5:20 PM > *To:* ccie security > *Subject:* [OSL | CCIE_Security] WebVPN on ASA with certificate based > authentication - client connection doesn't land on the configured > tunnel-group**** > > ** ** > > Folks,**** > > Up until now I always thought that by default when any VPN connection > lands on the ASA one of the following condition always works, namely**** > > ** ** > > If this is a certificate based authentication then the OU in the > certificate is used to match for the tunnel-group.**** > > Trying to prove it with different scenarios**** > > ** ** > > The portion of ASA config:**** > > ** ** > > ssl certificate-authentication interface OUT port 443**** > > ** ** > > tunnel-group WEBVPN type remote-access**** > > tunnel-group WEBVPN general-attributes**** > > authorization-server-group ACS**** > > authorization-required**** > > username-from-certificate OU**** > > tunnel-group WEBVPN webvpn-attributes**** > > authentication certificate**** > > ** ** > > My test PC with a valid certificate connects via HTTP to the ASA and see > the following:**** > > ** ** > > ASA1(config)# **** > > CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: > 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,*ou=WEBVPN > *,o=Cisco,l=Vancouver,st=BC,c=CA<[email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA>, > issuer_name: cn=MS-ROOT-CA,ou=CCIE.**** > > CRYPTO_PKI: *No Tunnel Group Match for peer certificate* > > * * > > Doesn’t make sense to me because as you see the tunnel-group and the OU > are identical.**** > > ** ** > > But if I change the ASA config to accept connection on the default WebVPN > group everything seems to work smoothly, i.e. the ASA still complains that > it can’t find the tunnel group for the peer certificate but the connection > is successful. This time we see that it lands on a default WEBVPN group and > authentication goes through.**** > > ** ** > > CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: > 7AB09A3B000000000005, subject name: > [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, > issuer_name: cn=MS-ROOT-CA,ou=CCIE.**** > > CRYPTO_PKI: No Tunnel Group Match for peer certificate.**** > > Unable to locate tunnel group > mapwebvpn_portal.c:ewaFormSubmit_webvpn_login[1964]**** > > ewaFormSubmit_webvpn_login: tgCookie = 0**** > > ewaFormSubmit_webvpn_login: cookie = d619c9a0**** > > ewaFormSubmit_webvpn_login: tgCookieSet = 0**** > > ewaFormSubmit_webvpn_login: tgroup = NULL**** > > *Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Success*.**** > > webvpn_portal.c:http_webvpn_kill_cookie[682]**** > > webvpn_auth.c:http_webvpn_pre_authorize[2267]**** > > webvpn_auth.c:ssl_get_cert_user_field[4800]**** > > using client cert: name=(WEBVPN)**** > > ** ** > > Any ideas why it doesn’t work with the user defined tunnel-group or my > above understanding is only applicable to IPSec VPN with certificates?**** > > ** ** > > Eugene**** > > ** ** > > ** ** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
