How to guide: Cisco ASA SSLVPN using Certificates for 2-factor Auth

Decrease your TCO by using Certificates instead of Tokens

I have seen a big shift over the past year towards using digital certificates for 2-factor authentication. Sure tokens are still the market share leader for this function but certificates are gaining due to their inexpensive cost and advancements in ease of management and deployment. The Cisco ASA has supported certificates for a long time now, but it is only this past year that I see mainstream companies starting to take advantage of the feature in mass. This tech tip will run you through how to quickly setup the ASA for two-factor authentication using certificates. Along the way, I'll show you how to configure the ASA's built-in Certificate Authority (CA) Server. Of course you can always use (and probably should use) an external CA server in production. I recommend using microsofts CA server; you can find configuration examples for how to use the ASA and MSFT CA together on And off we go! First things first, be sure you setup the basics on the ASA. Configure up your interfaces, routing, clock, timezone, NTP server, domain-name and NAT exemptions for sslvpn anyconnect client address pools. You only have to configure up the NAT exemptions if you are using NAT control or the pools fall inside of an existing NAT rule. I cannot stress enough the importance of having a reliable clock when using certificate based authentication. Be sure you set up NTP and check that it is working with the show ntp status command.

Next, we need to configure up our ASA CA server. In ASDM, go to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority. Click on CA Server. Check to enable the CA server. Fill out the form. 1) Check "create certificate authority server" 2) Type in a strong passphrase to protect your new root certificate 3) Leave the rest of the top part of the form at the defaults 4) Under "SMTP Server" enter the IP address of your corporate smtp mail server. This will be used to send enrollment emails to new users. It provides them with instructions on how to obtain their new identity certificate. Email is the preferred method for obtaining user certficates. However it can be done manually as I'll describe later. 5) Add a "from address" and an email subject line 6) Click Apply

Configure a trusted identity certificate on your ASA. It is important that you use an identity certificate from a trusted CA source for your ASA. An ASA identity certificate is the certificate that the ASA will hand out to the sslvpn clients that connect to it. In order for everything to work correctly the certificate must match the ASA hostname/IP address. Also, the end-users client must trust the CA that generated the ASA's identity certificate. A self-signed or other non-trusted CA cert is fine for testing but not for production. In fact, I recommend that you don't even bother testing without a full "real" ASA identity certificate at all. Too much could go wrong when you switch certificates later. Within ASDM you can sign up for a special promo certificate from Entrust if you'd like but any trusted public CA will do the trick. To configure the identity certificate on your ASA do the following: 1) First obtain your identity certificate. Make sure it is in PKCS12 format. Also, be sure it includes the complete certificate chain. 2) Go to Configuration > Remote Access VPN > Certificate Management > Identity Certificates. Click Add. 3) If your ASA will be in DNS then you can use the FQDN as the identifier in the certificate. If it will not be in DNS (only during testing, for production it must be in DNS) then be sure to use the IP address as the identifier.

4) That's it your done! However, if you need to do it the hard way by using a certificate signing request then proceed to setups 5 through end below. 5) If you need to generate a certificate signing request from the ASA then instead of doing step 2 do the below instead.

6) If you will be using only IP address to get to the ASA then be sure to click on advanced and fill in the IP address field. 7) Click add certificate when done. 8) Now click on export. This will give you the cert request that you can deliver to your CA. 9) Once your CA gives you a cert go back here and click install. Browse to the file they gave you and install it. 10) You're done! Now we need to setup our SSLVPN on the ASA. In this example I'll just be doing Cisco Anyconnect setup. The easiest way is to use the sslvpn wizard in ASDM. So go there now (top bar > wizards > sslvpn). I'm keeping it simple and using the local user database but feel free to use ldap or radius instead for authentication.

Now we need to go back into the connection profile and enable two-factor authentication using certificates. Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Edit the profile you just created. Under Authentication section choose "Both". This will enable a username/password check and a certificate check. Click Apply. Your done.

Next you add users to the CA server. For each user created, the CA server will create a unique identity certificate for that user. The user will then need to install that certificate on their computer. Go to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Database. 1) click Add 2) Fill in the form. Be sure to include a subject name. If you will be using username pre-fill then be sure to include the username in the subject, i.e CN=


3) Next click "Email OTP". The ASA will then send an enrollment email to that user. They can then click on the link in the email to install the certificate on their PC. 4) Optional: If you wish to manually enroll and obtain your certificate without email then go to https://

/+CSCOCA+/enroll.html. Then follow the instructions. You will still need to have your One Time password (OTP) handy though. You can view the OTP in ASDM by selecting the user cert and clicking "view OTP".

Optional: Pre-fill username from certificate. This feature is very useful to ensure that each identity certificate is matched up with a username/password. It prevents someone from exporting their certificate and giving it to their friend. Sure they can still do that even with pre-fill enabled but then they will have to also give them their password. Most users are not willing to share out their password which is likely connected to many other accounts and programs. To enable pre-fill go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Highlight your profile and click edit. Go to Advanced > Authentication. Check "Pre-fill username from certificate". Then choose the best method to find the exact username attribute in the certificate. Common ones are CN and UPN.

Well that's it. Have fun and let me know if you have any questions.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.







Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.