Guest

Cisco ASA 5500-X Series Firewalls

ASA 8.x: AnyConnect SSL VPN CAC-SmartCards Configuration for Windows

Contents

Introduction

This document provides a sample configuration on Cisco Adaptive Security Appliance (ASA) for AnyConnect VPN remote access for Windows with the Common Access Card (CAC) for authentication.

The scope of this document is to cover the configuration of Cisco ASA with Adaptive Security Device Manager (ASDM), Cisco AnyConnect VPN Client and Microsoft Active Directory (AD)/Lightweight Directory Access Protocol (LDAP).

The configuration in this guide uses Microsoft AD/LDAP server. This document also covers advanced features such as OCSP, LDAP attribute maps and Dynamic Access Polices (DAP).

Prerequisites

Requirements

A basic understanding of Cisco ASA, Cisco AnyConnect Client, Microsoft AD/LDAP and Public Key Infrastructure (PKI) is beneficial in the comprehension of the complete setup. Familiarity with AD group membership, user properties as well as LDAP objects help in the correlation of the authorization process between certificate attributes and AD/LDAP objects.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 5500 Series Adaptive Security Appliance (ASA) that runs the software version 8.0(x) and later

  • Cisco Adaptive Security Device Manager (ASDM) version 6.x for ASA 8.x

  • Cisco AnyConnect VPN Client for Windows

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Cisco ASA Configuration

This section covers the configuration of Cisco ASA via ASDM. It covers the necessary steps in order to deploy a VPN remote access tunnel through an SSL AnyConnect connection. The CAC certificate is used for authentication and the User Principal Name (UPN) attribute in the certificate is populated in active directory for authorization.

Deployment Considerations

  • This guide does NOT cover basic configurations such as interfaces, DNS, NTP, routing, device access, ASDM access and so forth. It is assumed that the network operator is familiar with these configurations.

    Refer to Multifunction Security Appliances for more information.

  • The sections highlighted in RED are mandatory configurations needed for basic VPN access. For example, a VPN tunnel can be setup with the CAC card without doing OCSP checks, LDAP mappings and Dynamic Access Policy (DAP) checks. DoD mandates OCSP checking but the tunnel works without OCSP configured.

  • The sections highlighted in BLUE are advanced features that can be included to add more security to the design.

  • ASDM and AnyConnect/SSL VPN can not use the same ports on the same interface. It is recommended to change the ports on one or the other to gain access. For example, use port 445 for ASDM and leave 443 for AC/SSL VPN. The ASDM URL access has changed in 8.x. Use https://<ip_address>:<port>/admin.html.

  • The ASA image required is at least 8.0.2.19 and ASDM 6.0.2.

  • AnyConnect/CAC is supported with Vista.

  • See Appendix A for LDAP & Dynamic Access Policy mapping examples for additional policy enforcement.

  • See Appendix D on how to check LDAP objects in MS.

  • See Related Information