[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cisco-nsp
Subject:    Re: [c-nsp] ASA 5500 SSL VPN Auth
From:       Kris Amy <kris () amy ! id ! au>
Date:       2014-12-18 7:26:08
Message-ID: CANHuy3iEzZo7uRE4gFP+t+dpVzxeGjR8qfjBpPLypcOOfs9PsQ () mail ! gmail ! com
[Download RAW message or body]

Hi Ryan,

Thanks. That's where I was up to and got stuck. I got auth going no problem
but could not assign a specific IP to each end-point.

Got what I needed now it's working as expected.

Cheers,
Kris

On 17 December 2014 at 23:58, Ryan West <rwest@zyedge.com> wrote:
>
> On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote:
> > Subject: [c-nsp] ASA 5500 SSL VPN Auth
> >
> > Hi All,
> >
> > Been searching through the archives and haven't seen this setup,
> wondering
> > if anyone has done this and has any pointers...
> >
>
> What pointers are you looking for?  I've done a configuration like this
> before for Kiosks using a specific group-url, a cert enroll tunnel-group,
> and a certificate map to match the presented certificate against the device
> certificate on the ASA and issuing CA.  Getting a device certificate on the
> ASA and importing CA are pretty easy.  The bigger pain is at the
> certificate map.  Here's a small example that should point you in the right
> direction.
>
> crypto ca certificate map <name> 1
>   issuer-name attr cn eq <intermediate>
> crypto ca certificate map <name> 2
>   issuer-name attr cn eq <root>
> crypto ca certificate map <name> 3
>   issuer-name attr cn eq <full name>
>
> I don't recall the crypto debugs now, but you can see where it's matching.
>
> > I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active
> > failover). To do auto-login without storing the username/password on the
> > client machine I plan on deploying a PKI environment which the ASA's will
> > then use for authenticating the end-points. The endpoints are required to
> > have static IP's as well.
>
> HTH
>
> -ryan
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic