This document provides a sample configuration for a Cisco IOS® router for a Secure Sockets Layer (SSL) VPN configuration where certificate maps are used to authorize a user connection to a sepecific WebVPN context on the router. It makes use of Dual Authentication: Certificate and User ID and Password.
Cisco recommends that you have knowledge of SSL VPN configuration on Cisco IOS routers.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Caution: A known issue with certificate maps is that users with certificates that do not match the criteria specified in the certificate maps are still able to connect. This is documented in Cisco bug ID CSCug39152. This configuration only works on Cicso IOS software versions that have the fix for this bug.
The sample configuration in this section uses a multiple WebVPN context in order to satisfy the requirement described in the introduction. Each user in various groups has two factors to authenticate themselves: Certificate and User ID and Password. In this particular configuration, once users have authenticated themselves, the router differentiates end users based on their unique Organizational Unit (OU) filed in the certificate.
Step 1. Generate Router Identity Certificate
The router uses an identity certificate to present its identity to the end user who connects to the SSL VPN. You can use either a router-generated self-signed certificate or a third-party certificate based on your requirements.
Router(config)#crypto key generate rsa label RTR-ID modulus 1024 exportable The name for the keys will be: RTR-ID
% The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 2 seconds) Router(config)# ! Generates 1024 bit RSA key pair. "label" defines ! the name of the Key Pair.
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(ca-trustpoint)#crypto pki trustpoint RTR-ID Router(ca-trustpoint)#rsakeypair RTR-ID Router(ca-trustpoint)#enrollment terminal Router(ca-trustpoint)#revocation-check none Router(ca-trustpoint)#exit
% The subject name in the certificate will include: CN=webvpn.cisco.com, OU=TSWEB,O=Cisco Systems,C=US,St=California,L=San Jose % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows:
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no Router(config)#
Step 2. Configure the Certificate Maps
A certificate map is used to classify incoming VPN client connections to specific WebVPN contexts. This classification is performed based on matching criteria configured in the certificate map. This configuration shows how to check for the OU field of the end-user certificate.
Note: When you configure certificate maps, if there are multiple instances of the the same certificate map, then an OR operation is applied across them. However, if there are multiple rules configured under the same instance of a certificate map, then an AND operation is applied across them. For example, in this configuration, any certificate issued by a server that contains the string "Company" and either contains the string "DIAL" in the subject name or contains "WAN" in the OrganizationUnit component will be accepted:
crypto pki certificate map Group 10M issuer-name co Company subject-name co DIAL crypto pki certificate map Group 20 issuer-name co Company subject-name co ou=WAN
Step 3. Configure WebVPN Gateway
The WebVPN gateway is where VPN users land their connections. In its simplest configuration, it requires an IP address and a trustpoint associated with it. The associated trustpoint "RTR-ID" was created in Step 1 under WebVPN gateway.
The WebVPN context is used to apply specific policies to an end user when connected to a VPN. In this specific example, two different contexts named "finance" and "sales" were created to apply different policies to each group.