GlobalSign Enterprise Solutions Cisco VPN User Guide Building a secure network using Enterprise PKI, Cisco ASA, and AnyConnect app for ios
TABLE OF CONTENTS Table of Contents... 2 Introduction... 3 About This Document... 3 Document Focus... 3 Settings For Cisco ASA... 4 Obtain an SSL Certificate... 4 SSL Configuration Set Up... 5 Enable SSL... 7 Configure the Client Certificate Issuing Authority... 7 Add the TrustPoint Associated with your epki Client Certificates... 8 Set Up a Connection Profile Mapping... 8 Set the Authentication Method... 11 Set the CRL... 12 Settings for Enterprise PKI... 13 Summary... 13 Create a Configuration Profile... 13 Upload Configuration Profiles... 16 Issuance of a Certificate... 17 Setting Up the End User Device... 18 Connecting to your VPN... 20 GlobalSign Contact Information... 20 2
INTRODUCTION ABOUT THIS DOCUMENT In this document, we will describe how using a digital certificate enabled Apple configuration profile delivered through GlobalSign s Enterprise PKI (epki) service for the iphone/ipad can be used to make a secure SSL VPN connection via the AnyConnect app for ios to an ASA5500 security appliance from Cisco Systems, Inc. Implementing certificate based two factor authentication on ios devices often employee owned, can help organizations protect sensitive resources stored on internal networks. The contents described in this material were confirmed in our verification environment and results may differ depending on exact organization environment. Consult Cisco s AnyConnect Administration guide for additional details. http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyc onnectadmin24.html DOCUMENT FOCUS The procedures in this document have been tested in the following environments. Cisco Adaptive Security Appliance (ASA)5505 (Version 8.4(1)) GlobalSign Enterprise PKI iphone4 (ios 5.1) AnyConnect (Secure Mobility Client) 2.4.4009 3
SETTINGS FOR CISCO ASA The following steps are required to install the server certificate, enable the VPN connection, and install the client certificate that will access the VPN. Detailed instructions for each step are provided below. 1. Obtain an SSL Certificate Create an SSL certificate via your GlobalSign GCC Account. For this step, you should create a certificate using AutoCSR; this will give you a certificate in PKCS12 format for easy importing into the ASA. 2. 3. Enable SSL After your SSL certificate is imported, enable the VPN connection in the ASA. Configure the client certificate issuing authority You need to add the client certificates issuing authority to your ASA in order to configure authenticated access by any of your clients. 4. 5. Add the TrustPoint associated with your epki Client Certificates. Set up a connection profile mapping Create mappings via the O and OU fields of the client certificates for allowing/refusing VPN access applications. 6. 7. Set the Authentication Method. Set the CRL (Certificate Revocation List) access method/point. OBTAIN AN SSL CERTIFICATE To apply for a server certificate using the GlobalSign Certificatee Center (GCC) panel, select the AutoCSR method of enrolling for an SSL certificate. Use your VPN URL as common name in your certificate request. After certificate issuance, it will be possible to retrieve the PKCS12 file (certificate + private key) for importing into ASDM. The file will be deliveredd in a.pfx format. 4
SSL Configuration set up First, you will need to login to ASDM. Navigate to Configuration > Remotee Access VPN > Certificate Management > Identity Certificate and click the Add button in the top right corner of the screen. This will bring up the following screen. 5
Select the Import the identity certificate from a file option, browse for the PKCS12 file, and enter the associated passphrase. Enter a TrustPoint Name you wish associated with the SSL certificate that will authenticate the Cisco ASA server to users connecting and click Add Certificate. The following confirmation screen will be displayed. Click the Send button to continue. The upload is complete when the following screen is displayed. Back on the main ASDM screen, you can see the certificate has been added. 6
ENABLE SSL This section allows you to enable or disable SSL and select the preferred interface. Within the ASDM, navigate to Configuration > Device Management > Advanced > SSL Settings. Then click the Edit button to bring up the Select SSL Certificate window. Here you should add the certificate to be used on the interface the users will be accessing. CONFIGURE THE CLIENT CERTIFICATE ISSUING AUTHORITY Within the ASDM, navigate to Configuration > Remote Access VPN > Certificate Management > CA Certificates. Click the Add button in the top right corner of the screen. This will bring up the Install Certificate screen. 7
ADD THE TRUSTPOINT ASSOCIATED WITH YOUR EPKI CLIENT CERTIFICATES Add a Trustpoint Name (different from the one used in the previous Enabling SSL Configuration step) now associated with the Certificates Issuer of the client certificates issued from the Enterprisee PKI service by pasting in PEM format or browsing to the file location (https://jp.globalsign.com/repository/common/cer/pscacert_v2.cer). Click Install Certificate when done. SET UP A CONNECTION PROFILE MAPPING Within the ASDM, navigate to Configuration > Remote Access VPN > Network (Client Access) > Group Policies. Here we create two profiles, one for non access and one for access to the VPN. While in Group Policies, click Add to establish a Profile. Create two Profiles to establish the rules associated with non access and access to the VPN. Enable the policy map and profile using the following procedure. Navigate to Configuration > Remote Access VPN > Advanced > Certificate to AnyConnect and Clientless SSL VPN connection Profile Maps, which will bring up the following screen. 8
In the Certificate to Connection Profile Maps section, click the Add button. The following screen will appear. Select the New Map option, the Priority based on your organization s policies, and Anyconnect VPN_Tunnel profile for the Mapped to Connection Profile. Click OK when finished. Back on the main ASDM screen, click the Add button under the Mapping Criteria section. The following screen will appear. 9
You must set the values for two fields: OU (department name) O (organization name) These values are established when registering an Enterprise PKI profile (SEEE EXAMPLE Enterprise PKI profile below). Click OK when you have finished specifying the O and OU values. Back on the main ASDM screen, click the Add button under the Certificate to Connectionn Profile Maps section. Select the Existing Map option and choose the Map you created in the step above. Choose the NoAccess option in the Mapped to Connection Profile dropdown to specify the behavior in cases where attempted client certificate connections do not match the required conditions. 10
SET THE AUTHENTICATIONN METHOD Navigate to Configuration > Remotee Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Select the profile(s) on which you wish to perform client authentication. After you have selected the profile click Edit and select Certificate as the Authentication method. 11
SET THE CRL It is possible to add a CRL for retrieving a list of revoked certificates. Revoked certificates will be refused access to the VPN. Navigate to Configuration > Remote Access VPN > Certificate Management > CA Certificates. Select the Client Certification Authority, GlobalSign PersonalSign2 CA G2, to add for CRL retrieval and click the Edit button. This will bring up the Edit Options for CA Certificate screen. On the first tab, Revocation Check, you can add and select the CRL Revocation Method. Here you should also deselect Consider certificate valid if revocation information cannot be retrieved. In the CRL Retrieval Policy tab, select the Use Static URLs configured below option. Add the URL for the location of the CRL: http://crl.globalsign.com/gs/ /gspersonalsign2g2.crl. Click OK when finished. 12
In the Advanced tab, you can change the CRL refresh interval and other CRL options. ASA configuration is now complete. SETTINGS FOR ENTERPRISE PKI SUMMARY Use Enterprise PKI to send a configuration profile at the same time that you install the certificate on the device. Enter your Enterprise PKI account to upload the configuration profile that you created using the iphone Configuration Utility, and then startt with the issuance of certificates. CREATE A CONFIGURATION PROFILE First you will need to create a new configuration profile in the iphone Configuration Utility, available as a free download on Apple s site. Click the SCEP section on the left side of the screen to begin. 13
Add dummy values to the following fields. The actual values will be overwritten by the system. URL: input dummy value Name: input dummy value Subject: O=input dummy value, OU=input dummy value Challenge: test Next select VPN in the menu on the left. 14
Here you set the following values. Connection Name: Any name Connection type: Cisco AnyConnect Server: AnyConnect Host name or IP addresss you connect to for VPN access User Authentication: Certificatee Credentials: Select the SCEP At this point you can also add, via the Restrictions section, any security restrictions to the device you wish implemented before they can enter your network. Export the profile you just created, either with or without signature. 15
UPLOAD CONFIGURATION PROFILES In your GlobalSign GCCC account click the Enterprise PKI tab. Click on the Certificatee Management item in the left hand menu. You willl be prompted to present a certificate (you will need to obtain an administrator certificatee during the first visit). After presenting the certificate, you will see a menu item Edit iphone Configuration at the bottom left menu, under the Useful Function section. Clicking that brings up the following screen. Click the Edit button next to the appropriate profile. 16
This will bring up the following screen. Click Browse to select the configuration profile that you created with the iphone Configuration Utility. Click the Upload button and confirm the upload by clicking the Next button. The profile is now in place. ISSUANCE OF A CERTIFICATE Issuance of certificates in Enterprisee PKI can be carried out in two ways: New Certificate New Certificate Registration (BULK) Bulk Certificate Registration allows multiple certificate registrations to be created concurrently via a CSV upload. For this example, we will use single certificate registration. Click New Certificate in the Certificate Management section of the left hand menu. Select the appropriate profile and license and then click Next. Enter the Common Name and Email Address on the following screen. To ensure the certificate can only be installed on one specific device, you can add the UDID or IMEI to the Devicee Authentication ID field. The Pickup Password will be used during installation of the certificate. Once you finish filling out the field, click the Next button. A certificate pickup email will be sent to the user. 17
SETTING UP THE END USER DEVICE In the end user device, certificate retrieval and VPN access is automatically set up by following the procedure below. Before nstalling the certificate, ensure the AnyConnect ios app is installed on the device. Using the email client on the device, click the URL in the pickup email. 18
You will be redirected to the GlobalSign website and asked for the pickup password. Add the password, click the Get Cert button, and follow the instructions on the screen to install the certificate and VPN profile on the device. Click the Install button on the screen below to finish installing the certificate. The certificate installation process is now complete. 19
CONN NECTING TO YOUR VPN You can n now connect tto the VPN byy opening the AnyConnect aapp and flickin ng the AnyCon nnect VPN sw witch to On. GLOB BALSIGN CONTACT INFORMATION N GlobalSSign Americas GlobalSign EEU GlobalSign UK Tel: 1 877 775 4562 Tel: +32 16 8 891900 6766 Teel: +44 1622 766 www.gllobalsign.com www.globalssign.eu ww ww.globalsign.cco.uk sales uss@globalsign.co om sales@globaalsign.com sales@globalsign n.com GlobalSSign FR GlobalSign D DE GlobalSign NL Tel: +33 3 1 82 88 01 24 Tel: +49 30 8 8878 9310 Teel: +31 20 89080 021 www.gllobalsign.fr www.globalssign.de ww ww.globalsign.n nl ventes@ @globalsign.com m verkauf@glo obalsign.com ve erkoop@globalssign.com 20