I tried all these case before sometime but there not striking m now. AV 25 decides the group policy. If we enable user authentication from the cert, I think it should work.
With regards Kings On Sun, Jun 24, 2012 at 9:20 AM, Eugene Pefti <[email protected]>wrote: > Thanks, King.**** > > I was almost positive that SSL VPN is not relevant for OU matching.**** > > How about class 25 attribute that can used to map the connecting user to > the required group-policy.**** > > In this case the connection would still land on a default WebVPNgroup > tunnel-group which is essentially the same as I ran into.**** > > ** ** > > Eugene**** > > ** ** > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Friday, June 22, 2012 8:11 PM > *To:* Eugene Pefti > *Cc:* ccie security > *Subject:* Re: [OSL | CCIE_Security] WebVPN on ASA with certificate based > authentication - client connection doesn't land on the configured > tunnel-group**** > > ** ** > > OU matching is only applicable for IPSec. With WebVPN, you need to either > use group-url or group-alias for landing on the tunnel-group. > > Your configuration, enables double authentication. Certificate > authentication and PKI User authentication from OU. > > > With regards > Kings**** > > On Sat, Jun 23, 2012 at 6:18 AM, Eugene Pefti <[email protected]> > wrote:**** > > I dug deeper into the intrinsic details of certificate processing and did > the following that I thought would change the picture. But still no luck** > ** > > **** > > 1) Created the certificate map:**** > > *crypto ca certificate map CERT-MAP 1***** > > *subject-name attr ou eq webvpn***** > > **** > > 2) Enabled the mapping rules**** > > *tunnel-group-map enable rules***** > > **** > > 3) Configured certificate map to tunnel-group mapping **** > > *tunnel-group-map CERT-MAP 1 WEBVPN***** > > **** > > Then what I see in the debugs drives me insane. It says the the peer cert > was authorized by CERT-MAP and then the same certificate can not be > authorized.....**** > > Arghhhh......**** > > **** > > CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: > 7AB09A3B000000000005, subject name: > [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, > issuer_name: cn=MS-ROOT-CA,ou=CCIE.**** > > CRYPTO_PKI: Processing map rules for CERT-MAP.**** > > CRYPTO_PKI: Processing map CERT-MAP sequence 1...**** > > CRYPTO_PKI: Match of subject-name attr field to map PASSED. Peer cert > field: ou = WEBVPN, map rule: subject-name attr ou eq webvpn.**** > > CRYPTO_PKI: *Peer cert has been authorized by map: CERT-MAP sequence: 1.** > *** > > CRYPTO_PKI: Ignoring match on map CERT-MAP, index 1 for WebVPN group map > processing. No tunnel group is configured.**** > > CRYPTO_PKI: *Peer cert could not be authorized with map: CERT-MAP*.**** > > CRYPTO_PKI: No Tunnel Group Match for peer certificate.**** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eugene Pefti > *Sent:* Friday, June 22, 2012 5:20 PM > *To:* ccie security > *Subject:* [OSL | CCIE_Security] WebVPN on ASA with certificate based > authentication - client connection doesn't land on the configured > tunnel-group**** > > **** > > Folks,**** > > Up until now I always thought that by default when any VPN connection > lands on the ASA one of the following condition always works, namely**** > > **** > > If this is a certificate based authentication then the OU in the > certificate is used to match for the tunnel-group.**** > > Trying to prove it with different scenarios**** > > **** > > The portion of ASA config:**** > > **** > > ssl certificate-authentication interface OUT port 443**** > > **** > > tunnel-group WEBVPN type remote-access**** > > tunnel-group WEBVPN general-attributes**** > > authorization-server-group ACS**** > > authorization-required**** > > username-from-certificate OU**** > > tunnel-group WEBVPN webvpn-attributes**** > > authentication certificate**** > > **** > > My test PC with a valid certificate connects via HTTP to the ASA and see > the following:**** > > **** > > ASA1(config)# **** > > CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: > 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,*ou=WEBVPN > *,o=Cisco,l=Vancouver,st=BC,c=CA<[email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA>, > issuer_name: cn=MS-ROOT-CA,ou=CCIE.**** > > CRYPTO_PKI: *No Tunnel Group Match for peer certificate***** > > * ***** > > Doesn’t make sense to me because as you see the tunnel-group and the OU > are identical.**** > > **** > > But if I change the ASA config to accept connection on the default WebVPN > group everything seems to work smoothly, i.e. the ASA still complains that > it can’t find the tunnel group for the peer certificate but the connection > is successful. This time we see that it lands on a default WEBVPN group and > authentication goes through.**** > > **** > > CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: > 7AB09A3B000000000005, subject name: > [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, > issuer_name: cn=MS-ROOT-CA,ou=CCIE.**** > > CRYPTO_PKI: No Tunnel Group Match for peer certificate.**** > > Unable to locate tunnel group > mapwebvpn_portal.c:ewaFormSubmit_webvpn_login[1964]**** > > ewaFormSubmit_webvpn_login: tgCookie = 0**** > > ewaFormSubmit_webvpn_login: cookie = d619c9a0**** > > ewaFormSubmit_webvpn_login: tgCookieSet = 0**** > > ewaFormSubmit_webvpn_login: tgroup = NULL**** > > *Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Success*.**** > > webvpn_portal.c:http_webvpn_kill_cookie[682]**** > > webvpn_auth.c:http_webvpn_pre_authorize[2267]**** > > webvpn_auth.c:ssl_get_cert_user_field[4800]**** > > using client cert: name=(WEBVPN)**** > > **** > > Any ideas why it doesn’t work with the user defined tunnel-group or my > above understanding is only applicable to IPSec VPN with certificates?**** > > **** > > Eugene**** > > **** > > **** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
