The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to setup a Cisco Adaptive Security Appliance (ASA) as a Certificate Authority (CA) server and as a Secure Sockets Layer (SSL) gateway for Cisco AnyConnect Secure Mobility Clients.
Cisco recommends that you have knowledge of these topics:
ASDM 7.3 or higher
The information in this document is based on these software and hardware versions:
PC which runs an supported OS per the Compatibility Chart.
Note: Download the AnyConnect VPN Client package (anyconnect-win*.pkg) from the Cisco Software Download (registered customers only) . Copy the AnyConnect VPN client to the ASA's flash memory, which is to be downloaded to the remote user computers in order to establish the SSL VPN connection with the ASA. Refer to the Installing the AnyConnect Client section of the ASA configuration guide for more information.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The Certificate authority on the ASA provides these functionalities:
Guidelines and Limitations
This section describes how to configure the Cisco ASA as a Local CA server.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
CLI equivalent:
ASA(config)# crypto ca server ASA(config-ca-server)# issuer-name CN=ASA.local ASA(config-ca-server)# subject-name-default CN=ASA.local ASA(config-ca-server)# lifetime certificate 365 ASA(config-ca-server)# lifetime ca-certificate 1095 ASA(config-ca-server)# passphrase cisco123 ASA(config-ca-server)# no shutdown % Some server settings cannot be changed after CA certificate generation. Keypair generation process begin. Please wait... Completed generation of the certificate and keypair... Archiving certificate and keypair to storage... Complete
These are additional fields that could be configured under Local CA Server configuration.
CRL Distribution point URL | This is the CRL location on the ASA. The default location is http://hostname.domain/+CSCOCA+/asa_ca.crl but the url could be modified. |
Publish-CRL Interface and Port | To make the CRL available for HTTP download on a given interface and port, choose a publish-CRL interface from the drop-down list. Then enter the port number, which can be any port number from 1-65535. The default port number is TCP port 80. |
CRL Lifetime | The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked, but if there are no revocation changes, the CRL is reissued automatically once every CRL lifetime, the period of time you specify with the lifetime crlcommand during Local CA configuration. If you do not specify a CRL lifetime, the default time period is six hours. |
Database Storage Location | The ASA accesses and implements user information, issued certificates, and revocation lists using a local CA database. This database resides in local flash memory by default, or can be configured to reside on an external file system that is mounted and accessible to the ASA. |
Default Subject Name | Enter a default subject (DN string) to append to a username on issued certificates. The permitted DN attributes are provided in this list: •CN (Common Name)SN (Surname) •O (Organization Name) •L (Locality) •C (Country) •OU (Organization Unit) •EA (E-mail Address) •ST (State/Province) •T (Title) |
Enrollment Period | Sets the enrollment time limit in hours within which user could retrieve the PKCS12 file from ASA. The default value is 24 hours. Note: If the enrollment period expires before the user retrieves the PKCS12 file that includes the user certificate, enrollment is not permitted. |
One Time Password Expiration | Defines the amount of time in hours that the OTP is valid for user enrollment. This time period begins when the user is allowed to enroll. The defaut value is 72 hours. |
Certificate Expiration Reminder | Specifies the number of days before certificate expires that an initial reminder to reenroll is sent to certificate owners. |
Specify the user details viz. Username, Email ID and the subject name, as shown in this image.
CLI equivalent:
ASA(config)# crypto ca server user-db add user1 dn CN=user1,OU=TAC email user1@cisco.com
CLI to verify the user status:
ASA# show crypto ca server user-db username: user1 email: user1@cisco.com dn: CN=user1,OU=TAC allowed: 19:03:11 UTC Thu Jan 14 2016 notified: 1 times enrollment status: Allowed to Enroll
Email the OTP (Requires SMTP server and Email Settings to be configured under the CA server configuration).
OR
Directly view the OTP and share with the user by clicking on View/Re-generate OTP. This can also be used to regenrate the OTP.
CLI equivalent:
!! Email the OTP to the user
ASA# crypto ca server user-db allow user1 email-otp
!! Display the OTP on terminal
ASA# crypto ca server user-db allow user1 display-otp
Username: user1
OTP: 18D14F39C8F3DD84
Enrollment Allowed Until: 14:18:34 UTC Tue Jan 12 2016
!! Enable web-access on the "Internet" interface of the ASA
ASA(config)# webvpn ASA(config-webvpn)#enable Internet
https://<ASA IP/FQDN>/+CSCOCA+/enroll.html
The passphrase to install the client certificate is same as the OTP received earlier.
The AnyConnect Configuration Wizard/CLI can be used in order to configure the AnyConnect Secure Mobility Client. Ensure that an AnyConnect client package has been uploaded to the flash/disk of the ASA Firewall before you proceed.
Complete these steps in order to configure the AnyConnect Secure Mobility Client via the Configuration Wizard:
2. Enter the Connection Profile Name, choose the interface on which the VPN will be terminated from the VPN Access Interface drop down menu, and Click Next.
3. Check the SSL check box in order to enable Secure Sockets Layer (SSL). The Device Certificate can be a trusted third party Certificate Authority (CA) issued certificate (such as Verisign, or Entrust), or a self-signed certificate. If the certificate is already installed on the ASA, then it can be chosen via the drop down menu.
Note: This certificate is the server-side certificate that will be presented by ASA to SSL clients. If there are no server certificates currently installed on the ASA than a self-signed certificate must be generated, then click Manage.
In order to install a third-party certificate, complete the steps that are described in the ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example Cisco document.
4. Click Add in order to add the AnyConnect Client Package (.pkg file) from the local drive or from the flash/disk of ASA.
Click Browse Flash in order to add the image from the flash drive, or click Upload in order to add the image from the local drive of host machine.
5. The user authentication can be completed via the Authentication, Authorization, and Accounting (AAA) server groups. If the users are already configured, then choose LOCAL and Click Next. Else add a user to the Local User Database and click Next.
Note: In this example, LOCAL authentication is configured, which means that the local user database on the ASA will be used for authentication.
6. Ensure that the Address Pool for the VPN clients is configured. If an ip pool is already configured then select it from the drop down menu. If not, Click New in order to configure. Once complete, Click Next.
7. Optionally, configure the Domain Name System (DNS) servers and DNs into the DNS and Domain Name fields, and then Click Next.
8. Ensure that the traffic between the client and the inside subnet must be exempt from any dynamic Network Address Translation (NAT). Enable the Exempt VPN traffic from network address translation check box and configure the LAN interface that will be used for the exemption. Also, specify the Local Network which must be exempted and Click Next.
9. Click Next.
10. The final step shows the summary, Click Finish to complete the set-up.
The AnyConnect Client configuration is now complete. However, when you configure AnyConnect via the Configuration Wizard, it configures the authentication method as AAA by default. In order to authenticate the clients via certificates and username/password, the tunnel-group (Connection Profile) must be configured to use certificates and AAA as the authentication method.
!! *****Configure the VPN Pool*****
ip local pool VPN_Pool 10.10.10.1-10.10.10.200 mask 255.255.255.0 !! *****Configure Address Objects for VPN Pool and Local Network*****
object network NETWORK_OBJ_10.10.10.0_24 subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 exit !! *****Configure WebVPN*****
webvpn enable Internet anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1 anyconnect enable tunnel-group-list enable exit !! *****Configure User*****
username user1 password mbO2jYs13AXlIAGa encrypted privilege 2 !! *****Configure Group-Policy*****
group-policy GroupPolicy_SSL_GRP internal group-policy GroupPolicy_SSL_GRP attributes vpn-tunnel-protocol ssl-client dns-server none wins-server none default-domain none exit !! *****Configure Tunnel-Group*****
tunnel-group SSL_GRP type remote-access tunnel-group SSL_GRP general-attributes authentication-server-group LOCAL default-group-policy GroupPolicy_SSL_GRP address-pool VPN_Pool tunnel-group SSL_GRP webvpn-attributes authentication aaa certificate group-alias SSL_GRP enable exit !! *****Configure NAT-Exempt Policy*****
nat (Inside,Internet) 1 source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup
Use this section in order to confirm that your configuration works properly.
Note: The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.
Ensure that the CA server is enabled.
show crypto ca server
ASA(config)# show crypto ca server Certificate Server LOCAL-CA-SERVER:
Status: enabled
State: enabled
Server's configuration is locked (enter "shutdown" to unlock it)
Issuer name: CN=ASA.local
CA certificate fingerprint/thumbprint: (MD5)
32e868b9 351a1b07 4b59cce5 704d6615
CA certificate fingerprint/thumbprint: (SHA1)
6136511b 14aa1bbe 334c2659 ae7015a9 170a7c4d
Last certificate issued serial number: 0x1
CA certificate expiration timer: 19:25:42 UTC Jan 8 2019
CRL NextUpdate timer: 01:25:42 UTC Jan 10 2016
Current primary storage dir: flash:/LOCAL-CA-SERVER/
Auto-Rollover configured, overlap period 30 days
Autorollover timer: 19:25:42 UTC Dec 9 2018
WARNING: Configuration has been modified and needs to be saved!!
Ensure that the user is allowed for enrollment after adding:
*****Before Enrollment***** ASA# show crypto ca server user-db username: user1 email: user1@cisco.com dn: CN=user1,OU=TAC allowed: 19:03:11 UTC Thu Jan 14 2016 notified: 1 times enrollment status: Allowed to Enroll >>> Shows the status "Allowed to Enroll" *****After Enrollment***** username: user1 email: user1@cisco.com dn: CN=user1,OU=TAC allowed: 19:05:14 UTC Thu Jan 14 2016 notified: 1 times enrollment status: Enrolled, Certificate valid until 19:18:30 UTC Tue Jan 10 2017, Renewal: Allowed
You may check the details of the anyconnect connection either via CLI or ASDM.
Via CLI
show vpn-sessiondb detail anyconnect
ASA# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : user1 Index : 1 Assigned IP : 10.10.10.1 Public IP : 10.142.189.181 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Essentials Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : 13822 Bytes Rx : 13299 Pkts Tx : 10 Pkts Rx : 137 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : GroupPolicy_SSL_GRP Tunnel Group : SSL_GRP Login Time : 19:19:10 UTC Mon Jan 11 2016 Duration : 0h:00m:47s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 1.1 Public IP : 10.142.189.181 Encryption : none Hashing : none TCP Src Port : 52442 TCP Dst Port : 443 Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.2.00096 Bytes Tx : 6911 Bytes Rx : 768 Pkts Tx : 5 Pkts Rx : 1 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 1.2 Assigned IP : 10.10.10.1 Public IP : 10.142.189.181 Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : 52443 TCP Dst Port : 443 Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.2.00096 Bytes Tx : 6911 Bytes Rx : 152 Pkts Tx : 5 Pkts Rx : 2 Pkts Tx Drop : 0 Pkts Rx Drop : 0 DTLS-Tunnel: Tunnel ID : 1.3 Assigned IP : 10.10.10.1 Public IP : 10.142.189.181 Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : 59167 UDP Dst Port : 443 Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.2.00096 Bytes Tx : 0 Bytes Rx : 12907 Pkts Tx : 0 Pkts Rx : 142 Pkts Tx Drop : 0 Pkts Rx Drop : 0 NAC: Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds SQ Int (T) : 0 Seconds EoU Age(T) : 51 Seconds Hold Left (T): 0 Seconds Posture Token: Redirect URL :
Via ASDM
Details- Provide more information about session
Logout- To manually logout the user from Headend
Ping- To ping the AnyConnect client from the Headend
This section provides information you can use in order to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
Caution: On the ASA, you can set various debug levels; by default, level 1 is used. If you change the debug level, the verbosity of the debugs might increase. Do this with caution, especially in production environments.
This debug output shows when the CA server is Enabled using the no shut command.
ASA# debug crypto ca 255 ASA# debug crypto ca server 255 ASA# debug crypto ca message 255 ASA# debug crypto ca transaction 255 CRYPTO_CS: input signal enqueued: no shut >>>>> Command issued to Enable the CA server Crypto CS thread wakes up! CRYPTO_CS: enter FSM: input state disabled, input signal no shut CRYPTO_CS: starting enabling checks CRYPTO_CS: found existing serial file. CRYPTO_CS: started CA cert timer, expiration time is 17:53:33 UTC Jan 13 2019 CRYPTO_CS: Using existing trustpoint 'LOCAL-CA-SERVER' and CA certificate CRYPTO_CS: file opened: flash:/LOCAL-CA-SERVER/LOCAL-CA-SERVER.ser CRYPTO_CS: DB version 1 CRYPTO_CS: last issued serial number is 0x4 CRYPTO_CS: closed ser file CRYPTO_CS: file opened: flash:/LOCAL-CA-SERVER/LOCAL-CA-SERVER.crl CRYPTO_CS: CRL file LOCAL-CA-SERVER.crl exists. CRYPTO_CS: Read 220 bytes from crl file. CRYPTO_CS: closed crl file CRYPTO_PKI: Storage context locked by thread Crypto CA Server CRYPTO_PKI: inserting CRL CRYPTO_PKI: set CRL update timer with delay: 20250 CRYPTO_PKI: the current device time: 18:05:17 UTC Jan 16 2016 CRYPTO_PKI: the last CRL update time: 17:42:47 UTC Jan 16 2016 CRYPTO_PKI: the next CRL update time: 23:42:47 UTC Jan 16 2016 CRYPTO_PKI: CRL cache delay being set to: 20250000 CRYPTO_PKI: Storage context released by thread Crypto CA Server CRYPTO_CS: Inserted Local CA CRL into cache! CRYPTO_CS: shadow not configured; look for shadow cert CRYPTO_CS: failed to find shadow cert in the db CRYPTO_CS: set shadow generation timer CRYPTO_CS: shadow generation timer has been set CRYPTO_CS: Enabled CS. CRYPTO_CS: exit FSM: new state enabled CRYPTO_CS: cs config has been locked. Crypto CS thread sleeps!
This debug output shows client's enrollment
ASA# debug crypto ca 255 ASA# debug crypto ca server 255 ASA# debug crypto ca message 255 ASA# debug crypto ca transaction 255 CRYPTO_CS: writing serial number 0x2. CRYPTO_CS: file opened: flash:/LOCAL-CA-SERVER/LOCAL-CA-SERVER.ser CRYPTO_CS: Writing 32 bytes to ser file CRYPTO_CS: Generated and saving a PKCS12 file for user user1 at flash:/LOCAL-CA-SERVER/user1.p12
The Enrollment of the Client may fail under these conditons:
Scenario 1.
CLI Equivalent:
ASA(config)# show crypto ca server user-db username: user1 email: user1@cisco.com dn: CN=user1,OU=TAC allowed: <not allowed> notified: 0 times enrollment status: Not Allowed to Enroll
Scenario 2.
The client may fail to access the enrollment portal of ASA in these cases:
ASA(config)# show run webvpn webvpn port 4433 enable Internet no anyconnect-essentials anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
anyconnect enable
tunnel-group-list enable
Scenario 3.
ASA(config)# debug crypto ca 255 ASA(config)# debug crypto ca server 255 ASA(config)# debug crypto ca message 255 ASA(config)# debug crypto ca transaction 255 ASA(config)# debug crypto ca trustpool 255 CRYPTO_CS: writing serial number 0x2. CRYPTO_CS: file opened: flash:/LOCAL-CA-SERVER/LOCAL-CA-SERVER.ser CRYPTO_CS: Writing 32 bytes to ser file CRYPTO_CS: Generated and saving a PKCS12 file for user user1 at flash:/LOCAL-CA-SERVER/user1.p12 CRYPTO_CS: Failed to write to opened PKCS12 file for user user1, fd: 0, status: -1. CRYPTO_CS: Failed to generate pkcs12 file for user user1 status: -1. CRYPTO_CS: Failed to process enrollment in-line for user user1. status: -1
Revision | Publish Date | Comments |
---|---|---|
1.0 |
03-Aug-2016 |
Initial Release |