3.Cisco ASA Anyconnect Local CA user certificatee


In previous lessons you learned how to configure the ASA for anyconnect SSL VPN and also how to self-sign certificates on the ASA. In both of these lessons the remote user was authenticating with username and password.

When we configured the ASA to self sign its certificate, we used the ASA as a local CA. The cool thing is that we can also use this feature to create certificates for our users. This allows us to have two-factor authentication for the remote users: username/password + user certificate.

I’m going to assume that you have a working anyconnect SSL VPN configuration, if you don’t…follow the steps in the anyconnect SSL VPN lesson before you continue.

We will use the following topology:

ASA1 Remote User Certificate Authentication

On the left side we have the ASA and on the right side is a remote user that reaches the ASA on its outside interface. The ASA will be configured as a local CA and we will generate two certificates:

  1. User certificate that the user will use for authentication.
  2. ASA certificate so that the user can validate the ASA firewall.

We will start with the configuration of the local CA!

1.Configuration

1.1.ASA Local CA Configuration

First we will configure the ASA as a local CA:

ASA1(config)# crypto ca server
ASA1(config-ca-server)# smtp from-address LOCAL-CA@NETWORKLESSONS.LOCAL
ASA1(config-ca-server)# subject-name-default CN=ASA1 O=NETWORKLESSONS.LOCAL C=NL
ASA1(config-ca-server)# lifetime ca-certificate 1825
ASA1(config-ca-server)# lifetime certificate 365
ASA1(config-ca-server)# issuer-name CN=ASA1-LOCAL-CA C=NL O=NETWORKLESSONS.LOCAL
ASA1(config-ca-server)# keysize server 2048
ASA1(config-ca-server)# no shutdown

The from address is a required field so I just made up an e-mail address. The lifetime of the root CA is 1825 days (5 years) and when our local CA issues a certificate, it is valid for 365 days ( 1 year).  Once you enable the local CA with no shutdown you will see this:

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: ***********

Re-enter passphrase: ***********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO: 
Certificate Server enabled.

The ASA will ask you to choose a passphrase for the private key. Create a strong passphrase and once it’s done, the certificate server will be up and running. You can see our certificate here:

ASA1# show crypto ca certificates 
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
    cn=ASA1-LOCAL-CA C=NL O=NETWORKLESSONS.LOCAL
  Subject Name:
    cn=ASA1-LOCAL-CA C=NL O=NETWORKLESSONS.LOCAL
  Validity Date: 
    start date: 14:36:13 UTC Dec 16 2014
    end   date: 14:36:13 UTC Dec 15 2019
  Associated Trustpoints: LOCAL-CA-SERVER 

Certificate
  Status: Available
  Certificate Serial Number: 370d8754
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
    hostname=ASA1.NETWORKLESSONS.LOCAL
    cn=ASA1.NETWORKLESSONS.LOCAL
  Subject Name:
    hostname=ASA1.NETWORKLESSONS.LOCAL
    cn=ASA1.NETWORKLESSONS.LOCAL
  Validity Date: 
    start date: 14:03:52 UTC Dec 10 2014
    end   date: 14:03:52 UTC Dec 7 2024
  Associated Trustpoints: SELF_TRUSTPOINT

You can see the certificate that we created. The trustpoint (that’s where the certificates are stored) is created automatically.

1.2.Enroll User Certificate

We can now add a user to the CA database, when you do this the username has to be the same as the common name (CN):

ASA1(config)# crypto ca server user-db add cert_user dn CN=cert_user
INFO: User added as 'cert_user'

The user account “cert_user” has been added. We will allow this user to enroll a certificate by using an OTP (One Time Password). Here’s how we enable this:

ASA1(config)# crypto ca server user-db allow cert_user display-otp 
Username: cert_user
OTP: 805AF0FE3FD89EFE
Enrollment Allowed Until: 14:40:53 UTC Fri Dec 19 2014

Above you can see our OTP. When the user requests to enroll the certificate, we’ll need to enter the OTP. Instead of OTP you can also use e-mail delivery.

Everything is now in place on the ASA. Let’s enroll the user certificate on a computer. I will use a Windows 7 computer with Internet Explorer. Open the following URL:

https://asa1.networklessons.local/+CSCOCA+/enroll.html

You will see the following screen:

Cisco ASA Local CA enroll

This is where the user can enroll a certificate. Enter the username that we created earlier and the OTP. Once you hit submit, the certificate will be created and you can download it:

Cisco ASA Local CA User certificate

Save this file somewhere, I’ll call mine “cert_user”:

Cisco ASA Local CA user certificate save

Open the folder where you saved your user certificate, right-click on the certificate file and select “Install PFX”:

Cisco ASA install user certificate

Once you do this, it will start the certificate import wizard, it looks like this:

Cisco ASA certificate import wizard

Click Next to continue and the wizard will ask what certificate we want to import:

Cisco ASA certificate import wizard file name

Our certificate is already selected so just hit Next to continue and we’ll see this:

Cisco ASA certificate import wizard OTP

The wizard prompts for the password of the private key. You need to enter the OTP here and click Next to continue. Now we need to select where we want to store the certificate:

Cisco ASA certificate import wizard store

You can let it choose automatically where to store the certificate. Our user certificate will be installed in the personal folder and the CA certificate will be in the trusted root folder. We will verify this in a bit. Click Next to continue:

Cisco ASA certificate import wizard complete

Just click Finish and you will get a security warning:

Cisco ASA certificate import wizard warning

Click Yes and the certificate will be installed, here’s the end result:

Cisco ASA certficiate import wizard succesful

Click OK and we will take a look at our user certificate. Click on the Windows Start button, click on Run and enter “certmgr.msc” and hit enter. You will see the certificate manager:

Cisco ASA User Certificate certmgr

If you look in the Personal folder then you will find our user certificate. We can also see it on the ASA:

ASA1# show crypto ca server user-db 
username: cert_user
email:    <None>
dn:       CN=CERT_USER
allowed:  14:40:53 UTC Fri Dec 19 2014
notified: 0 times
enrollment status: Enrolled, Certificate valid until 14:47:46 UTC Wed Dec 16 2015, 
Renewal: Allowed

Excellent, the user certificate has been successfully enrolled and we verified this on the user computer and ASA.

1.3.Enroll ASA Certificate

So far we configured the ASA to be a local CA and we enrolled a certificate to a user. When the user connects and authenticates, he/she will show the certificate to the ASA for user authentication. The ASA will also present its certificate to the user so that the user can validate the ASA. This means we will need to generate a certificate on the ASA that we can present to the user.

We can’t directly enroll the certificate from the ASA, we need to do this through the web browser. We will use a Windows 7 computer from an administrator to enroll the ASA certificate, save it and then import it on the ASA using the CLI or ASDM. Let’s start with the ASA configuration first. We will create a username for the ASA, just like we did for the user:

ASA1(config)# crypto ca server user-db add asa1 dn CN=ASA1.NETWORKLESSONS.LOCAL,C=NL,O=NETWORKLESSONS.LOCAL
INFO: User added as 'asa1'

Something important to keep in mind is that the username has to match the hostname of your ASA. We will now enable a OTP for the enrollment:

ASA1(config)# crypto ca server user-db allow asa1 display-otp 
Username: asa1
OTP: 2673CDA6D45D4D1A
Enrollment Allowed Until: 15:04:07 UTC Fri Dec 19 2014

We will now use an admin computer to create the certificate so that we can install it afterwards on the ASA. I’ll use a Windows 7 computer with Internet explorer for this. Open the following URL:

https://asa1.networklessons.local/+CSCOCA+/enroll.html

And you will see the following screen:

Cisco ASA Admin certificate login

Enter the ASA1 username and OTP that we just created and hit Submit. The certificate will be created and you can download it:

Cisco ASA admin certificate save fileSave this file somewhere, I’ll put it on my desktop:

cisco asa admin certificate save file location

We now have the certificate for our ASA. Our next step is to install this certificate on the ASA. There are two options for this:

  • Import the certificate using the CLI
  • Import the certificate using ASDM

I will show you both methods, we’ll start with the CLI..

1.4.Import ASA certificate with CLI

The ASA only accepts a base 64 format certificate (PEM file) but we have a PKCS12 certificate (p12 file). We need to convert this file, which I did on a Linux host:

$ openssl base64 -in asa1.p12 -out asa1.pem

We can now import the certificate on the ASA, and we’ll do this in its own trustpoint:

ASA1(config)# crypto ca import MY_TRUSTPOINT pkcs12 2673CDA6D45D4D1A

The trustpoint is called “MY_TRUSTPOINT” and the number at the end is the OTP. Once you hit Enter you will see this:

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

You can now open the certificate file in a text editor and you must paste the entire certificate, it will look similar to this:

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
MIILkQIBAzCCC0sGCSqGSIb3DQEHAaCCCzwEggs4MIILNDCCCzAGCSqGSIb3DQEH
AaCCCyEEggsdMIILGTCCA08GCyqGSIb3DQEMCgECoIICpTCCAqEwGwYKKoZIhvcN
[output omitted]
AFMAUwBPAE4AUwAuAEwATwBDAEEATDA9MCEwCQYFKw4DAhoFAAQU7PZjXbB28Oql
6pokVPJVLV6sGmoEFK+Ug54/JgsxxUzVGArBQLoHVD5MAgIEAA==
quit
INFO: Import PKCS12 operation completed successfully

Once you pasted everything, type quite and you will get a message that the certificate has been succesfully installed. If you think importing the certificate using the CLI is too much of a hassle, here’s the ASDM method:

1.5.Import ASA certificate with ASDM

Make sure you can access ASDM. If you never used it before, take a look at this lesson.

Once you are logged in, go to Configuration > Certificate Management > Identity Certificates:

Cisco ASA ASDM Identity Certificates

Click on the Add button and you will see this:

Cisco ASA ASDM Import Identity Certificate

Enter a name for the trustpoint and select the certificate. The advantage of ASDM is that you don’t have to convert the certificate yourself to the base64 format. Click on Add Certificate and you are done.

1.6.Enable Trustpoint

We need to enable the trustpoint that we just created on the outside interface of the ASA so that it is used for certificate validation. Here’s how:

ASA1(config)# crypto ca trustpoint LOCAL-CA-SERVER
ASA1(config-ca-trustpoint)# no client-types

The trustpoint “LOCAL-CA-SERVER” was automatically created when we configured the local CA. We tell the ASA not to use this trustpoint for certificate validation. Now we enable the correct trustpoint:

ASA1(config)# crypto ca trustpoint MY_TRUSTPOINT
ASA1(config-ca-trustpoint)# client-types ssl

This is the trustpoint that we just created, it will be used for certificate validation. Now enable it on the outside interface:

ASA1(config-ca-trustpoint)# ssl trust-point MY_TRUSTPOINT outside

1.7.User Authentication Settings

There are two more steps. First we need to set a password for the user that we created earlier:

ASA1(config)# username cert_user password MY_PASSWORD

And we need to configure the tunnel group so that it enables certificate authentication:

ASA1(config)# tunnel-group MY_TUNNEL webvpn-attributes 
ASA1(config-tunnel-webvpn)# authentication aaa certificate

That’s it, our configuration is now finished. Let’s see if our remote user is able to authenticate using username/password + certificate!

2.Verification

Start your web browser on the user computer and open the following URL:

https://asa1.networklessons.local/

Internet Explorer will ask me to select the certificate that I want to use for authentication:

Cisco ASA anyconnect user certificate

Select the user certificate, click OK and you will see the following login screen:

Cisco ASA anyconnect loginType in the username and password of the user, click Login and you will be fully authenticated. We can also verify this on the ASA:

ASA1# show vpn-sessiondb detail anyconnect 

Session Type: AnyConnect Detailed

Username     : cert_user              Index        : 20
Assigned IP  : 192.168.10.100         Public IP    : 10.10.10.2
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : Clientless: (1)SHA1  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 395056                 Bytes Rx     : 52324
Pkts Tx      : 81                     Pkts Rx      : 21
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : ANYCONNECT_POLICY      Tunnel Group : MY_TUNNEL
Login Time   : 16:46:02 UTC Tue Dec 16 2014
Duration     : 0h:05m:53s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Clientless Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

Clientless:
  Tunnel ID    : 20.1
  Public IP    : 10.10.10.2
  Encryption   : RC4                    Hashing      : SHA1                   
  Encapsulation: TLSv1.0                TCP Dst Port : 443                    
  Auth Mode    : Certificate and userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 24 Minutes             
  Client Type  : Web Browser
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 3.1.03103
  Bytes Tx     : 390071                 Bytes Rx     : 51891

Great! The user is connected and the authentication mode is certificate + password. Mission accomplished!

I hope this lesson has been useful for you, if you have any questions feel free to leave a comment.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more