On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote: > Subject: [c-nsp] ASA 5500 SSL VPN Auth > > Hi All, > > Been searching through the archives and haven't seen this setup, wondering > if anyone has done this and has any pointers... >
What pointers are you looking for? I've done a configuration like this before for Kiosks using a specific group-url, a cert enroll tunnel-group, and a certificate map to match the presented certificate against the device certificate on the ASA and issuing CA. Getting a device certificate on the ASA and importing CA are pretty easy. The bigger pain is at the certificate map. Here's a small example that should point you in the right direction. crypto ca certificate map <name> 1 issuer-name attr cn eq <intermediate> crypto ca certificate map <name> 2 issuer-name attr cn eq <root> crypto ca certificate map <name> 3 issuer-name attr cn eq <full name> I don't recall the crypto debugs now, but you can see where it's matching. > I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active > failover). To do auto-login without storing the username/password on the > client machine I plan on deploying a PKI environment which the ASA's will > then use for authenticating the end-points. The endpoints are required to > have static IP's as well. HTH -ryan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/