Configuring

Clientless SSL VPN on Cisco

ASA with Microsoft Windows Certificate
Authority
This allows us to control access to our VPN gateway not only by username and password, but yet a
further step to allow only trusted computers to connect. With AAA and Certificate authentication
configured, a user can only connect to the VPN gateway if he has a valid set of username and password
and a valid computer certificate installed.
It may be a concern that someone will establish the same certification authority infrastructure and issue
certificates to computers, but that will not work. Although the RootCA and SubCA may have been forged
with the same name and even the same Public Key, but their private keys will be different and
impossible to generate based on the public key. This then will not work because their signatures will be
different.

Configure Active Directory Domain Controller for LDAP Authentication

1. Import RootCA and SubCA certificates to Trusted Root Certification Authority store
2. Generate and import a certificate for the domain controller
3. Create OU and a group inside the OU containing the VPN users, we name the OU here
VPNUsersOU and the group VPNUsersGroup
4. Make sure port 636 is open on the firewall and your malware protection

Installing a Certificate on Cisco ASA

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.

Configure a hostname, e.g. ASA1

Configure a domain name, e.g. infra.com.af
Configure a DNS server, in this case it will be your Active Directory DNS
Set the date and time correctly
Import RootCA and SubCA certificates to CA Certificates store of the ASA
Navigate to Identity Certificates store on the ASA
Generate a new key pair
Under Advanced clear the entry for FQDN, e.g. asa1.infra.com.af
Enter CN=asa1.infra.com.af
Save the request
Copy the request to SubCA
Issue and export the certificate
Install the certificate on the ASA
Configure revocation checking under CA Certificate node
Choose CRL and static URL for http://IPAddressOfSubCA/VirtualDirectoryName/SubCA.crl
1

Configure ASA Interface to use the Identity Certificate

1.
2.
3.
4.
5.

Navigate to Device Management

Advanced
SSL Settings
Add the desired Hashing and Encryption algorithms to the right
Select the interfaces you want to use the certificate, e.g. outside

Configure LDAP for Authentication on Cisco ASA

1.
2.
3.
4.
5.
6.

Navigate to Device Management

Users and AAA
Add an LDAP server and choose Microsoft for the provider
Configure all LDAP parameters for the specified OU and Group
Select LDAP over SSL
Do not select any hashing, because it will make usernames case sensitive

Configure a Connection Profile to use LDAP and Certificates

1. Select your desired Connection Profile
2. Under Authentication, select both

Configure ASA to allow Password Change at first Logon

1. Select your desire connection profile
2. Under General tab, select Password Management
3. For this option to work, password expiry must not be enabled on the domain controller

Configure VPN Client Computers for Certificate Authentication

1.
2.
3.
4.

Generate a Computer Certificate with Exportable Private Key

Import the certificate into the Personal store of the computer
Export the certificate along with its private key
Import it into the Personal store of your preferred web browser