Similar documents

1.- L a m e j o r o p c ió n e s c l o na r e l d i s co ( s e e x p li c a r á d es p u é s ).

ACE-1/onearm #show service-policy client-vips

EM EA. D is trib u te d D e n ia l O f S e rv ic e

Put the human back in Human Resources.

I n la n d N a v ig a t io n a co n t r ib u t io n t o eco n o m y su st a i n a b i l i t y

H ig h L e v e l O v e r v iew. S te p h a n M a rt in. S e n io r S y s te m A rc h i te ct

AN EVALUATION OF SHORT TERM TREATMENT PROGRAM FOR PERSONS DRIVING UNDER THE INFLUENCE OF ALCOHOL P. A. V a le s, Ph.D.


proxy cert request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey mod_ssl pre-process: parameters->





Campus Sustainability Assessment and Related Literature


i n g S e c u r it y 3 1B# ; u r w e b a p p li c a tio n s f r o m ha c ke r s w ith t his å ] í d : L : g u id e Scanned by CamScanner

R e t r o f i t o f t C i r u n i s g e C o n t r o l

CUSTOMER INFORMATION SECURITY AWARENESS TRAINING

M P L S /V P N S e c u rity , C is c o S y s te m s, In c. A ll rig h ts re s e rv e d.



Understanding, Modelling and Improving the Software Process. Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 31 Slide 1





S e w i n g m a c h i n e s for but t - seams. - c o m p l e t e b r o c h u r e -

Future Trends in Airline Pricing, Yield. March 13, 2013

CIS CO S Y S T E M S. G u ille rm o A g u irre, Cis c o Ch ile , C is c o S y s te m s, In c. A ll rig h ts re s e rv e d.


Using Predictive Modeling to Reduce Claims Losses in Auto Physical Damage


L a h ip e r t e n s ió n a r t e r ia l s e d e f in e c o m o u n n iv e l d e p r e s ió n a r t e r ia l s is t ó lic a ( P A S ) m a y o r o

B a rn e y W a r f. U r b a n S tu d ie s, V o l. 3 2, N o. 2, ±3 7 8

<?xml version="1.0" encoding="utf-8"?> <soapenv:envelope xmlns:soapenv="


1. Oblast rozvoj spolků a SU UK 1.1. Zvyšování kvalifikace Školení Zapojení do projektů Poradenství 1.2. Financování

SCO TT G LEA SO N D EM O Z G EB R E-

PSTN. Gateway. Switch. Supervisor PC. Ethernet LAN. IPCC Express SERVER. CallManager. IP Phone. IP Phone. Cust- DB

W h a t is m e tro e th e rn e t



A n d r e w S P o m e r a n tz, M D

Vom prozessorientierten Wissensmanagement zum intelligenten Engineering-Portal

3 k t h R e m e A c c e s s b t t t V T T c h t h p V T. Cl ic e ot rad io ut on nex o PN unnel yp e and oose e ap rop riat e PN unnel Int erfac e. 4.

B I N G O B I N G O. Hf Cd Na Nb Lr. I Fl Fr Mo Si. Ho Bi Ce Eu Ac. Md Co P Pa Tc. Uut Rh K N. Sb At Md H. Bh Cm H Bi Es. Mo Uus Lu P F.

B rn m e d s rlig e b e h o v... 3 k o n o m i S s k e n d e tils k u d o g k o n o m is k frip la d s... 7 F o r ld re b e ta lin g...



d e f i n i c j i p o s t a w y, z w i z a n e j e s t t o m. i n. z t y m, i p o jі c i e t o

An E mpir ical Analysis of Stock and B ond M ar ket Liquidity

w ith In fla m m a to r y B o w e l D ise a se. G a s tro in te s tin a l C lin ic, , K a s h iw a z a, A g e o C ity, S a ita m a


How To Be A Successful Thai

JCUT-3030/6090/1212/1218/1325/1530


Workload Management Services. Data Management Services. Networking. Information Service. Fabric Management

Purpose of presentation

/*

B R T S y s te m in S e o u l a n d In te g r a te d e -T ic k e tin g S y s te m

Beverlin Allen, PhD, RN, MSN, ARNP



C + + a G iriş 2. K o n tro l y a p ıla rı if/e ls e b re a k co n tin u e g o to sw itc h D ö n g ü le r w h ile d o -w h ile fo r

Erfa rin g fra b y g g in g a v

STUDENT HEALTH INSURANCE

Requirements used consistently in combination with agile development (SCRUM) and SOA

How To Manage A Large Amount Of Information From A Computer To A Computer


III Bienal de Autismo Página 1 / 43

J a re k G a w o r, J o e B e s te r, M a th e m a tic s & C o m p u te r. C o m p u ta tio n In s titu te,

Overview of Spellings on

Middagserie Eschatologie Oosterparkkerk, Amsterdam, December 2007

INTERACTIVE VOICE RESPONSE (IVR) INSTRUCTIONS PART A

CODES FOR PHARMACY ONLINE CLAIMS PROCESSING

e-global Logistics Harald Lundestad February 14, 2001

Software Quality Requirements and Evaluation, the ISO Series


UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

Chem 115 POGIL Worksheet - Week 4 Moles & Stoichiometry Answers

All answers must use the correct number of significant figures, and must show units!

UFPA Brazil. d e R e d e s Ó p tic a s e s e u s Im p a c to s n o F u tu r o d a In te r n e t



Health, Insurance, and Pension Plans in Union Contracts

Opis przedmiotu zamówienia - zakres czynności Usługi sprzątania obiektów Gdyńskiego Centrum Sportu


Victims Compensation Claim Status of All Pending Claims and Claims Decided Within the Last Three Years


E-learning and Student Mobility in Higher Education. BEST Symposium on Education, Gothenburg 2 nd June 10 th June; 2007

BLADE 12th Generation. Rafał Olszewski. Łukasz Matras

GENERAL INFORMAT ION:

ASCENT TM Integrated Shipment Management

ELECTRON CONFIGURATION (SHORT FORM) # of electrons in the subshell. valence electrons Valence electrons have the largest value for "n"!

Transcription:

Application Note: Cisco A S A - Ce r t if ica t e T o S S L V P N Con n e ct ion P r of il e Overview: T h i s a p p l i ca ti o n n o te e x p l a i n s h o w to co n f i g u r e th e A S A to a cco m m o d a te S S L V P N s e s s i o n s th a t u ti l i z e a ce r ti f i ca te f o r a u th e n ti ca ti o n a n d u s e th e a ttr i b u te s w i th i n th e ce r ti f i ca te to a s s i g n a s p e ci f i c C o n n e cti o n P r o f i l e to th e u s e r. T h e a b i l i ty to m a p a u s e r s ce r ti f i ca te to a s p e ci f i c C o n n e cti o n P r o f i l e i s a l s o co n f i g u r a b l e f o r I P S E C V P N h o w e v e r th i s p a p e r f o cu s e s s o l e l y o n S S L V P N. T h e C o n n e cti o n P r o f i l e a l s o k n o w n a s a T u n n e l G r o u p co n s i s ts o f a s e t o f r e co r d s th a t d e te r m i n e s th e tu n n e l co n n e cti o n p o l i ci e s. W e w i l l a l s o co n f i g u r e th e A S A s L o ca l C e r ti f i ca te A u th o r i ty w h i ch w e w i l l u s e i n th i s co n f i g u r a ti o n e x a m p l e. T h e A S A s L o ca l C A w a s i n tr o d u ce d i n v 8.0 a n d o f f e r s b a s i c C A f e a tu r e s o n th e A S A i ts e l f w i th o u t th e n e e d f o r a n e x te r n a l C A. T h e L o ca l C A ca n b e u s e d to b o th d e p l o y a n d r e v o k e ce r ti f i ca te s a n d o f f e r s u s e r s a n e a s y e n r o l l m e n t m e ch a n i s m. 1

Section 1 ASA Configuration using ASDM S t ep 1. E n a b l e t h e Ou t s id e I n t erf a c e t o req u ire a C l ien t C ert if ic a t e Na vig a t e t o Configuration > Remote Access VPN > Clientless SSL VPN > Connection Profiles a n d e n s u r e th a t R e q u i r e C l i e n t C e r ti f i ca te i s ch e ck e d o f f w h i ch w i l l r e s u l t i n th e A S A to ch e ck i n g f o r a n d r e q u i r i n g a v a l i d ce r ti f i ca te f r o m th e cl i e n t b e f o r e a l l o w i n g a co n n e cti o n. Figure 1 R eq uire C l ien t C ert if ic a t e S t ep 2. C o n f ig u re/ A d d a C o n n ec t io n P ro f il e I f y o u h a v e a l r e a d y co n f i g u r e d a C o n n e cti o n P r o f i l e th e n j u s t e d i t th e d e s i r e d p r o f i l e, h o w e v e r w e w i l l co n f i g u r e a n e w p r o f i l e a s f o l l o w s. 2

Na vig a t e t o Configuration > Remote Access VPN > Clientless SSL VPN > Connection Profiles a n d cl i ck A d d. N a m e th e p r o f i l e a n d cr e a te a n a l i a s f o r th e C o n n e cti o n P r o f i l e. A n a l i a s s p e ci f i e s th a t a n a l te r n a te n a m e ca n b e u s e d f o r th i s co n n e cti o n a s l o n g a s y o u a l s o e n a b l e th i s f e a tu r e. A l s o n o ti ce th a t w e s e l e cte d a n a l te r n a ti v e a n d e x i s ti n g G r o u p P o l i cy r a th e r th a n u s i n g th e d e f a u l t f o r th i s C o n n e cti o n p r o f i l e b u t th i s i s n o t n e ce s s a r y i n o r d e r to s u cce s s f u l l y te s t th i s s o l u ti o n. Figure 2 C o n n ec t io n P ro f il e c o n f igura t io n 3

Figure 3 E n a b l e t h e us e o f a l ia s S t ep 3. C o n f ig u re a C ert if ic a t e t o S S L V P N C o n n ec t io n P ro f il e M a p I n o r d e r f o r th e A S A to s e l e ct a s p e ci f i c C o n n e cti o n P r o f i l e b a s e d o n th e a ttr i b u te s co n ta i n e d i n th e cl i e n t s ce r ti f i ca te w e n e e d to d e f i n e a m a p p i n g r u l e to m a tch u s e r s to a C o n n e cti o n P r o f i l e b a s e d o n th e s e a ttr i b u te s. O n ce th e r u l e s a r e d e f i n e d th e y a r e th e n a s s o ci a te d w i th th e d e s i r e d p r o f i l e. Na vig a t e to Configuration > Remote Access VPN > Ad v anced > Certificate to SSL VPN Connection Profile M ap s a n d cl i ck o n A d d u n d e r th e C e r ti f i ca te to C o n n e cti o n P r o f i l e M a p s I n th i s e x a m p l e, i f th e ce r ti f i ca te h a s O U = m a r k e ti n g a n d C = U S, th e u s e r w i l l b e m a p p e d to th e M a r k e ti n g C o n n e cti o n P r o f i l e. 4

Figure 4 C rea t e N ew C ert if ic a t e M a p No t e: M u l ti p l e C o n n e cti o n P r o f i l e M a p s co u l d e x i s t a n d i f th i s w a s th e ca s e th e n th e A S A w o u l d e v a l u a te e a ch co n n e cti o n a g a i n s t th e m a p p i n g l i s t w i th th e l o w e s t p r i o r i ty n u m b e r ta k i n g p r e ce d e n ce. A f r n f i g u r i n g e n e w C o n n e o n P r o f i l e M a p, e n e x s p i s n f i g u r e i r i a m a f o r e m a p a r k e n g _ M a p n f i g u r e d i n e p r e v i o u s s p O n a g a i n e i r i a w e w a n m a i s a e u s e r s r f i n i n s O U = m a r k e n g a n d C = U S a n d i f b o e x i s e u s e r h a s s u s s f u l l y m e e i r i a a n d w i l l b e n n e d e a r k e n g C o n n e o n P r o f i l e te co th cti th t te to co cr te tch th M ti co th te. ce th cr te t to tch th t th ce ti ca te co ta ti th t th cce t th cr te co cte to th M ti cti. Na vig a t e t o C o n f ig u ra t io n > R em o t e A c c es s V P N > A d va n c ed > C ert if ic a t e t o S S L V P N C o n n ec t io n P ro f il e M a p s a n d w i th th e M a r k e ti n g _ M a p h i g h l i g h te d u s e th e l o w e r p a n e to co n f i g u r e 2 r u l e s a s s h o w n i n F i g u r e 5 a n d co m p l e te d i n F i g u r e 6. 5

Figure 5 C o n f igurin g M a p p in g C rit eria Figure 6 M a p p in g C rit eria C o m p l et ed 6

No t e: Y o u ca n co n f i g u r e r u l e s b a s e d o n th e I s s u e r a n d S u b j e ct f i e l d s o f a ce r ti f i ca te a n d f o r m o r e i n f o r m p l e a s e r e f e r e n ce th e C i s co S e cu r i ty A p p l i a n ce C o m m a n d L i n e C o n f i g u r a ti o n G u i d e, V e r s i o n 8.0. a ti o n h ttp : / / w w w.ci s co.co m / e n / U S / p a r tn e r / d o cs / s e cu r i ty / a s a / a s a 80 / co n f i g u r a ti o n / g u i d e / ce r t_ cf g.h tm l # w p 10 46987 S t ep 4. C o n f ig u re a L o c a l C ert if ic a t e A u t h o rit y T h e A S A o f f e r s a L o ca l C e r ti f i ca te A u th o r i ty ( C A ) th a t i s a n i n -h o u s e a u th o r i ty th a t r e s i d e s d i r e ctl y o n th e a p p l i a n ce f o r ce r ti f i ca te a u th e n ti ca ti o n. U s e r e n r o l l m e n t i s b y b r o w s e r w e b p a g e l o g i n I n te g r a te s b a s i c ce r ti f i ca te a u th o r i ty f u n cti o n a l i ty o n th e A S A D e p l o y s ce r ti f i ca te s P r o v i d e s s e cu r e r e v o ca ti o n ch e ck i n g o f i s s u e d ce r ti f i ca te s Na vig a t e t o C o n f ig u ra t io n > R em o t e A c c es s V P N > C ert if ic a t e M a n a g em en t > L o c a l C ert if ic a t e A u t h o rit y > C A S erver a n d C r e a te th e C e r ti f i ca te A u th o r o r i ty a s s h o w n b e l o w to e n a b l e u s e r s to o b ta i n ce r ti f i ca te s v i a a w e b b r o w s e r. O p ti o n a l l y y o u co u l d co n f i g u r e e -m a i l a cce s s f o r th e L o ca l C A s e r v e r b y co n f i g u r i n g a S i m p l e M a i l T r a n s f e r P r o to co l ( S M T P ) e -m a i l s e r v e r, th e e -m a i l a d d r e s s f r o m w h i ch to s e n d e - m a i l s to L o ca l C A u s e r s b u t f o r th e p u r p o s e o f th i s e x a m p l e w e w i l l o n l y co n f i g u r e H T T P. C h e ck o f f C r e a te C e r ti f i ca te A u th o r i ty S e r v e r C h e ck o f f E n a b l e E n te r a P a s s P h r a s e Figure 7 C rea t e a L o c a l C A 7

S t ep 5. A d d a u s er t o t h e L o c a l C A s U s er D a t a b a s e T h e A S A s L o ca l C A m a i n ta i n s a u s e r d a ta b a s e a n d th e s ta tu s o f th e u s e r s e n r o l l m e n t s u ch a s e n r o l l e d, a l l o w e d o r r e v o k e d. I n th i s s te p w e w i l l a d d a u s e r s s l u s e r to th e d a ta b a s e. Na vig a t e t o C o n f ig u ra t io n > R em o t e A c c es s V P N > C ert if ic a t e M a n a g em en t > L o c a l C ert if ic a t e A u t h o rit y > M a n a g e U s er D a t a b a s e a n d s e l e ct A d d a n d e n te r th e i n f o r m a ti o n a s s h o w n i n F i g u r e 8. 1. S e l e ct A d d to a d d th e u s e r s s l u s e r 2. E n te r th e u s e r n a m e s s l u s e r 3. E n te r th e E m a i l I D ( o p ti o n a l i n th i s ca s e ) 4. E n te r th e S u b j e ct ( D N S tr i n g ) th i s ca n b e ty p e d d i r e ctl y i n th e b o x o r cl i ck S e l e ct to e n te r i t s te p b y s te p. 5. C l i ck S e l e ct a n d co n f i g u r e th e v a l u e f o r e a ch a ttr i b u te co n ta i n e d i n th e u s e r s ce r ti f i ca te. Figure 8 A d d us er t o t h e d a t a b a s e 8

A f te r a d d i n g th e u s e r th e s ta tu s o f th e u s e r w i l l b e th a t e n r o l l m e n t i s a l l o w e d b u t n o t y e t e n r o l l e d a s s h o w n i n f i g u r e 9 b e l o w a n d a l s o n o te th e O n e T i m e P a s s w o r d th a t w a s a u to m a ti ca l l y g e n e r a te d f o r th e u s e r a n d r e q u i r e d f o r e n r o l l m e n t, b u t n o te th i s O T P i s n o t r e q u i r e d o n ce th e u s e r h a s s u cce s s f u l l y e n r o l l e d. Figure 9 U s er c o n f igura t io n c o m p l et e 9

W S t ep 6. V erif y t h e L o c a l C A s C ert if ic a t e h e n w e cr e a te d th e L o ca l C A o n th e A S A a l o ca l ce r ti f i ca te s h o u l d h a v e b e e n cr e a te d f o r th e A S A, e n s u r e th a t i t i s p r e s e n t. No t e: I f th e C e r ti f i ca te d o e s n o t a p p e a r, s a v e th e co n f i g u r a ti o n a n d r e f r e s h A S D M. Na vig a t e t o C o n f ig u ra t io n > R em o t e A c c es s V P N > C ert if ic a t e M a n a g em en t > C A C ert if ic a t es Figure 10 A S A ' s C A C ert if ic a t e No t e: T h i s co m p l e te s th e A S A C o n f i g u r a ti o n. 10

Section 2 SSL V P N Cl ientl ess U ser Configuration S t ep 1. E n ro l l t h e u s er wit h t h e A S A s L o c a l C ert if ic a t e A u t h o rit y U s i n g I n te r n e t E x p l o r e r co n n e ct v i a th e e n r o l l m e n t U R L s h o w n i n F i g u r e 11. T h e f i r s t l o g i n s cr e e n y o u s h o u l d r e ce i v e w i l l w a r n y o u th a t th e ce r ti f i ca te d o e s n o t y e t e x i s t a n d w i l l p r o m p t y o u to o b ta i n th e ce r ti f i ca te. Figure 11 I n it ia l l o gin s c reen h t t p s : / / 5. 5. 5. 2/ + C S C O A + / en ro l l. h t m l 11

S t ep 2. E n t er in t h e u s er n a m e s s l u s er a n d t h e OT P s h o wn ea rl ier in S t ep 5 a n d F ig u re 9. Figure 12 E n ro l l m en t us in g O T P S t ep 3. D o wn l o a d a n d s a ve t h e c ert if ic a t e t o t h e D es k t o p. Figure 13 D o w n l o a d in g & S a v in g t h e C ert if ic a t e 12

S t ep 4. Op en u p T o o l s / I n t ern et Op t io n s / C o n t en t / C ert if ic a t es / I m im p o rt p ro c es s. p o rt a n d s el ec t Nex t t o b eg in t h e Figure 14 I E I n t ern et O p t io n s C ert if ic a t e I m p o rt S t ep 5. W h en p ro m p t ed s el ec t t h e c ert if ic a t e t h a t wa s s a ved t o t h e d es k t o p in s t ep 3. Figure 15 I m p o rt W iz a rd 13

S t ep 6. E n t er t h e OT P wh en p ro m p t ed f o r t h e p a s s wo rd. Figure 16 O T P R eq uired b y W iz a rd S t ep 7. A l l o w I E t o d et erm in e t h e p ro p er C ert if ic a t e S t o re f o r t h e n ewl y im p o rt ed c ert if ic a t e. Figure 17 C ert if ic a t e s t o re 14

Figure 18 C ert if ic a t e I m p o rt c o m p l et ed S t ep 8. M a k e a C l ien t l es s S S L V P N C o n n ec t io n T h e e x p e cte d r e s u l t i s th a t th e u s e r u p o n e s ta b l i s h i n g th e co n n e cti o n to th e A S A w i l l b e p r o m p te d to a ck n o w l e d g e a b a n n e r co n f i g u r e d o n th e g r o u p -p o l i cy a s s o ci a te d w i th th e m a r k e ti n g co n n e cti o n p r o f i l e a n d th e n g i v e n th e p o r ta l. Figure 19 C l ien t l es s c o n n ec t io n 15

S t ep 9. V erif y in g t h e s es s io n u s in g A S D M a n d t h e C L I Figure 20 A S D M M o n it o rin g Figure 21 C L I c o m m a n d B X B A S A 5540 # s h o vp n -s es s io n d b d et a il web vp n S e s s i o n T y p e : W e b V P N D e ta i l e d U s a m s s l u s I n d e x : P u b l i I P : P r o l : C l i e n e s s L i n s e : S S L V P N E n y p o n : R C H a s h i n g : S H A B y s T x : B y s R x : P k T x : P k R x : P k T x D r o p : 0 P k R x D r o p : 0 G u p P o l y M a g _ P o l y T u n n G u p M a g L o g i n T i m e : : U T C S a D e 0 D u r a o n : 0 h : 0 : N A C R e s u l : U n k n o w n V L A N M a p p i n g : N / A V L A N : n o n e ern e : er 12 c 10.86.181.70 to co tl ce cr ti 4 1 te 420 538 te 181632 ts 4 ts 1 ts ts ro ic : rk et in ic el ro : rk et in 21: 30 56 t c 8 20 7 ti 7m 15s t C l i e n tl e s s T u n n e l s : 1 16

R c h : / / w w w s m / e n / U S / p a r e r / d o / s e r i / a s a / a s a / n f i g u r a o n / g u i d e / w e b v p n l # w p ef eren es : ttp.ci co.co tn cs cu ty 80 co ti.h tm 10 21682 http://www.cisco.com/en/us/partner/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067484 h ttp : / / w w w.ci s co.co m / e n / U S / p a r tn e r / d o cs / s e cu r i ty / a s a / a s a 80 / a s d m 60 / u s e r / g u i d e / v p n _ w e b.h tm l # w p 10 570 37 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information