ASA with Microsoft Windows Certificate Authority This allows us to control access to our VPN gateway not only by username and password, but yet a further step to allow only trusted computers to connect. With AAA and Certificate authentication configured, a user can only connect to the VPN gateway if he has a valid set of username and password and a valid computer certificate installed. It may be a concern that someone will establish the same certification authority infrastructure and issue certificates to computers, but that will not work. Although the RootCA and SubCA may have been forged with the same name and even the same Public Key, but their private keys will be different and impossible to generate based on the public key. This then will not work because their signatures will be different.
Configure Active Directory Domain Controller for LDAP Authentication
1. Import RootCA and SubCA certificates to Trusted Root Certification Authority store 2. Generate and import a certificate for the domain controller 3. Create OU and a group inside the OU containing the VPN users, we name the OU here VPNUsersOU and the group VPNUsersGroup 4. Make sure port 636 is open on the firewall and your malware protection
Configure a domain name, e.g. infra.com.af Configure a DNS server, in this case it will be your Active Directory DNS Set the date and time correctly Import RootCA and SubCA certificates to CA Certificates store of the ASA Navigate to Identity Certificates store on the ASA Generate a new key pair Under Advanced clear the entry for FQDN, e.g. asa1.infra.com.af Enter CN=asa1.infra.com.af Save the request Copy the request to SubCA Issue and export the certificate Install the certificate on the ASA Configure revocation checking under CA Certificate node Choose CRL and static URL for http://IPAddressOfSubCA/VirtualDirectoryName/SubCA.crl 1
Configure ASA Interface to use the Identity Certificate
1. 2. 3. 4. 5.
Navigate to Device Management
Advanced SSL Settings Add the desired Hashing and Encryption algorithms to the right Select the interfaces you want to use the certificate, e.g. outside
Configure LDAP for Authentication on Cisco ASA
1. 2. 3. 4. 5. 6.
Navigate to Device Management
Users and AAA Add an LDAP server and choose Microsoft for the provider Configure all LDAP parameters for the specified OU and Group Select LDAP over SSL Do not select any hashing, because it will make usernames case sensitive
Configure a Connection Profile to use LDAP and Certificates
1. Select your desired Connection Profile 2. Under Authentication, select both
Configure ASA to allow Password Change at first Logon
1. Select your desire connection profile 2. Under General tab, select Password Management 3. For this option to work, password expiry must not be enabled on the domain controller
Configure VPN Client Computers for Certificate Authentication
1. 2. 3. 4.
Generate a Computer Certificate with Exportable Private Key
Import the certificate into the Personal store of the computer Export the certificate along with its private key Import it into the Personal store of your preferred web browser