Configure Cert Mapping for Secure Client Auth on FTD via FMC
Available Languages
Contents
Introduction
This document describes how to set up Cisco Secure Client with SSL on FTD via FMC using certificate mapping for authentication.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco Firepower Management Center (FMC)
- Firewall Threat Defense (FTD) Virtual
- VPN Authentication Flow
Components Used
- Cisco Firepower Management Center for VMWare 7.4.1
- Cisco Firewall Threat Defense Virtual 7.4.1
- Cisco Secure Client 5.1.3.62
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Certificate mapping is a method used in VPN connections where a client certificate is mapped to a local user account, or attributes within the certificate are used for authorization purposes.This is a process where a digital certificate is used as a means of identifying a user or device. By using certificate mapping, it leverages the SSL protocol to authenticate users without the need for them to input credentials.
This document describes how to authenticate the Cisco Secure Client using the common name from an SSL certificate.
These certificates contain a common name within them, which is used for authorization purposes.
- CA : ftd-ra-ca-common-name
- Engineer VPN Client Certificate: vpnEngineerClientCN
- Manager VPN Client Certificate: vpnManagerClientCN
- Server Certificate: 192.168.1.200
Network Diagram
This image shows the topology that is used for the example of this document.
Network Diagram
Configurations
Configuration in FMC
Step 1. Configure FTD Interface
Navigate toDevices > Device Management, edit the target FTD device, config outside interface for FTD inInterfacestab.
For GigabitEthernet0/0,
- Name: outside
- Security Zone: outsideZone
- IP Address: 192.168.1.200/24
FTD Interface
Step 2. Confirm Cisco Secure Client License
Navigate toDevices > Device Management, edit the target FTD device, confirm the Cisco Secure Client license inDevicetab.
Secure Client License
Step 3. Add IPv4 Address Pool
Navigate toObject > Object Management > Address Pools > IPv4 Pools, clickAdd IPv4 Poolsbutton.
Add IPv4 Address Pool
Input necessary information to create an IPv4 address pool for engineer VPN client.
- Name: ftd-vpn-engineer-pool
- IPv4 Address Range: 172.16.1.100-172.16.1.110
- Mask: 255.255.255.0
IPv4 Address Pool for Engineer VPN Client
Input necessary information to create an IPv4 address pool for manager VPN client.
- Name: ftd-vpn-manager-pool
- IPv4 Address Range: 172.16.1.120-172.16.1.130
- Mask: 255.255.255.0
IPv4 Address Pool for Manager VPN Client
Confirm the new IPv4 address pools.
New IPv4 Address Pools
Step 4. Add Group Policy
Navigate toObject > Object Management > VPN > Group Policy, clickAdd Group Policybutton.
Add Group Policy
Input necessary information to create a group policy for the engineer VPN client.
- Name: ftd-vpn-engineer-grp
- VPN Protocols: SSL
Group Policy for Engineer VPN Client
Input necessary information to create a group policy for manager VPN client.
- Name: ftd-vpn-manager-grp
- VPN Protocols: SSL
Group Policy for Manager VPN Client
Confirm the new group policies.
New Group Policies
Step 5. Add FTD Certificate
Navigate toObject > Object Management > PKI > Cert Enrollment, clickAdd Cert Enrollmentbutton.
Add Certificate Enrollment
Input necessary information for FTD certificate and import a PKCS12 file from local computer.
- Name: ftd-vpn-cert
- Enrollment Type: PKCS12 File
Details of Certificate Enrollment
Confirm the new certificate enrollment.
New Certificate Enrollment
Navigate toDevices > Certificates, clickAdd button.
Add FTD Certificate
Input necessary information to bind the new certificate enrollment to FTD.
- Device: 1.x.x.49
- Cert Enrollment: ftd-vpn-cert
Bind Certificate to FTD
Confirm the status of the certificate binding.
Status of Certificate Binding
Step 6. Add Policy Assignment for Engineer Connection Profile
Navigate toDevices > VPN > Remote Access, clickAddbutton.
Add Remote Access VPN
Input necessary information and clickNextbutton.
- Name: ftd-vpn-engineer
- VPN Protocols: SSL
- Targeted Devices: 1.x.x.49
Policy Assignment
Step 7. Configure Details for Engineer Connection Profile
Input necessary information and clickNextbutton.
- Authentication Method: Client Certificate Only
- Username From Certificate: Map specific field
- Primary Field: CN (Common Name)
- Secondary Field: OU (Organizational Unit)
- IPv4 Address Pools: ftd-vpn-engineer-pool
- Group Policy: ftd-vpn-engineer-grp
Details of Connection Profile
Step 8. Configure Secure Client Image for Engineer Connection Profile
Select secure client image file and clickNextbutton.
Select Secure Client
Step 9. Configure Access and Certificate for Engineer Connection Profile
Select value for Interface group/Security Zone and Certificate Enrollment items, click Next button.
- Interface group/Security Zone: outsideZone
- Certificate Enrollment: ftd-vpn-cert
Details of Access and Certificate
Step 10. Confirm Summary for Engineer Connection Profile
Confirm the information entered for remote access VPN policy and click Finish button.
Details of Remote Access VPN Policy
Step 11. Add Connection Profile for Manager VPN Client
Navigate to Devices > VPN > Remote Access > Connection Profile, click + button.
Add Connection Profile for Manager VPN Client
Input necessary information for connection profile and click Save button.
- Name: ftd-vpn-manager
- Group Policy: ftd-vpn-manager-grp
- IPv4 Address Pools: ftd-vpn-manager-pool
Details of Connection Profile for Manager VPN Client
Confirm new added connection profiles.
Confirm Added Connection Profiles
Step 12. Add Certificate Map
Navigate to Objects > Object Management > VPN > Certificate Map, click AddCertificate Map button.
Add Certificate Map
Input necessary information for the certificate map of the engineer VPN client and click Save button.
- Map Name: cert-map-engineer
- Mapping Rule: CN (Common Name) Equals vpnEngineerClientCN
Certificate Map for Engineer Client
Input necessary information for the certificate map of the manager VPN client and click Save button.
- Map Name: cert-map-manager
- Mapping Rule: CN (Common Name) Equals vpnManagerClientCN
Certificate Map for Manager Client
Confirm new added certificate maps.
New Certificate Maps
Step 13. Bind Certificate Map to Connection Profile
Navigate to Devices > VPN > Remote Access, edit ftd-vpn-engineer. Then, navigate to Advanced > Certificate Maps, click Add Mapping button.
Bind Certificate Map
Binding certificate map to connection profile for engineer VPN client.
- Certificate Map Name: cert-map-engineer
- Connection Profile: ftd-vpn-engineer
Binding Certificate Map for Engineer VPN Client
Binding certificate map to connection profile for manager VPN client.
- Certificate Map Name: cert-map-manager
- Connection Profile: ftd-vpn-manager
Binding Certificate Map for Manager VPN Client
Confirm the setting of certificate binding.
Confirm Certificate Binding
Confirm in FTD CLI
Confirm the VPN connection settings in the FTD CLI after deployment from the FMC.
// Defines IP of interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.200 255.255.255.0
// Defines a pool of addresses
ip local pool ftd-vpn-engineer-pool 172.16.1.100-172.16.1.110 mask 255.255.255.0
ip local pool ftd-vpn-manager-pool 172.16.1.120-172.16.1.130 mask 255.255.255.0
// Defines Trustpoint for Server Certificate
crypto ca trustpoint ftd-vpn-cert
keypair ftd-vpn-cert
crl configure
// Server Certificate Chain
crypto ca certificate chain ftd-vpn-cert
certificate 22413df584b6726c
3082037c 30820264 a0030201 02020822 413df584 b6726c30 0d06092a 864886f7
......
quit
certificate ca 5242a02e0db6f7fd
3082036c 30820254 a0030201 02020852 42a02e0d b6f7fd30 0d06092a 864886f7
......
quit
// Defines Certificate Map for Engineer VPN Clients
crypto ca certificate map cert-map-engineer 10
subject-name attr cn eq vpnEngineerClientCN
// Defines Certificate Map for Manager VPN Clients
crypto ca certificate map cert-map-manager 10
subject-name attr cn eq vpnManagerClientCN
// Configures the FTD to allow Cisco Secure Client connections and the valid Cisco Secure Client images
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/csm/cisco-secure-client-win-5.1.3.62-webdeploy-k9.pkg 1 regex "Windows"
anyconnect enable
tunnel-group-list enable
cache
disable
certificate-group-map cert-map-engineer 10 ftd-vpn-engineer
certificate-group-map cert-map-manager 10 ftd-vpn-manager
error-recovery disable
// Configures the group-policy to allow SSL connections from manager VPN clients
group-policy ftd-vpn-manager-grp internal
group-policy ftd-vpn-manager-grp attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
vlan none
address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value none
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
// Configures the group-policy to allow SSL connections from engineer VPN clients
group-policy ftd-vpn-engineer-grp internal
group-policy ftd-vpn-engineer-grp attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
vlan none
address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value none
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
// Configures the tunnel-group to use the certificate authentication for engineer VPN clients
tunnel-group ftd-vpn-engineer type remote-access
tunnel-group ftd-vpn-engineer general-attributes
address-pool ftd-vpn-engineer-pool
default-group-policy ftd-vpn-engineer-grp
tunnel-group ftd-vpn-engineer webvpn-attributes
authentication certificate
group-alias ftd-vpn-engineer enable
// Configures the tunnel-group to use the certificate authentication for manager VPN clients
tunnel-group ftd-vpn-manager type remote-access
tunnel-group ftd-vpn-manager general-attributes
address-pool ftd-vpn-manager-pool
default-group-policy ftd-vpn-manager-grp
tunnel-group ftd-vpn-manager webvpn-attributes
authentication certificate
Confirm in VPN Client
Step 1. Confirm Client Certificate
In engineer VPN client, navigate toCertificates - Current User > Personal > Certificates, check the client certificate used for authentication.
Confirm Certificate for Engineer VPN Client
Double click the client certificate, navigate toDetails, check the detail ofSubject.
- Subject: CN = vpnEngineerClientCN
Details of Engineer Client Certificate
In manager VPN client, navigate toCertificates - Current User > Personal > Certificates, check the client certificate used for authentication.
Confirm Certificate for Manager VPN Client
Double click the client certificate, navigate toDetails, check the detail ofSubject.
- Subject: CN = vpnManagerClientCN
Details of Manager Client Certificate
Step 2. Confirm CA
In both engineer VPN client and manager VPN client, navigate toCertificates - Current User > Trusted Root Certification Authorities > Certificates, check the CA used for authentication.
- Issued By: ftd-ra-ca-common-name
Confirm CA
Verify
Step 1. Initiate VPN Connection
In engineer VPN client, initiate the Cisco Secure Client connection. No need to input the username and password, the VPN connected successfully.
Initiate VPN Connection from Engineer Client
In manager VPN client, initiate the Cisco Secure Client connection. No need to input the username and password, the VPN connected successfully.
Initiate VPN Connection from Manager Client
Step 2. Confirm Active Sessions in FMC
Navigate toAnalysis > Users > Active Sessions, check the active session for VPN authentication.
Confirm Active Session
Step 3. Confirm VPN Sessions in FTD CLI
Runshow vpn-sessiondb detail anyconnect command in FTD (Lina) CLI to confirm the VPN sessions of engineer and manager.
ftd702# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : vpnEngineerClientCN Index : 13
Assigned IP : 172.16.1.101 Public IP : 192.168.1.11
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14782 Bytes Rx : 12714
Pkts Tx : 2 Pkts Rx : 32
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ftd-vpn-engineer-grp Tunnel Group : ftd-vpn-engineer
Login Time : 02:00:35 UTC Wed Jun 19 2024
Duration : 0h:00m:55s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : cb0071820000d00066723bc3
Security Grp : none Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 13.1
Public IP : 192.168.1.11
Encryption : none Hashing : none
TCP Src Port : 50225 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : win
Client OS Ver: 10.0.15063
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 7391 Bytes Rx : 0
Pkts Tx : 1 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 13.2
Assigned IP : 172.16.1.101 Public IP : 192.168.1.11
Encryption : AES-GCM-128 Hashing : SHA256
Ciphersuite : TLS_AES_128_GCM_SHA256
Encapsulation: TLSv1.3 TCP Src Port : 50232
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 7391 Bytes Rx : 1775
Pkts Tx : 1 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 13.3
Assigned IP : 172.16.1.101 Public IP : 192.168.1.11
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 50825
UDP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 0 Bytes Rx : 10939
Pkts Tx : 0 Pkts Rx : 30
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Username : vpnManagerClientCN Index : 14
Assigned IP : 172.16.1.120 Public IP : 192.168.1.21
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14782 Bytes Rx : 13521
Pkts Tx : 2 Pkts Rx : 57
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ftd-vpn-manager-grp Tunnel Group : ftd-vpn-manager
Login Time : 02:01:19 UTC Wed Jun 19 2024
Duration : 0h:00m:11s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : cb0071820000e00066723bef
Security Grp : none Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 14.1
Public IP : 192.168.1.21
Encryption : none Hashing : none
TCP Src Port : 49809 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : win
Client OS Ver: 10.0.15063
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 7391 Bytes Rx : 0
Pkts Tx : 1 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 14.2
Assigned IP : 172.16.1.120 Public IP : 192.168.1.21
Encryption : AES-GCM-128 Hashing : SHA256
Ciphersuite : TLS_AES_128_GCM_SHA256
Encapsulation: TLSv1.3 TCP Src Port : 49816
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 7391 Bytes Rx : 3848
Pkts Tx : 1 Pkts Rx : 25
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 14.3
Assigned IP : 172.16.1.120 Public IP : 192.168.1.21
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 65501
UDP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 0 Bytes Rx : 9673
Pkts Tx : 0 Pkts Rx : 32
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Troubleshoot
You can expect to find information about VPN authentication in the debug syslog of Lina engine and in the DART file on Windows PC.
This is an example of debug logs in the Lina engine during VPN connection from engineer client.
Jun 19 2024 02:00:35: %FTD-7-717029: Identified client certificate within certificate chain. serial number: 7AF1C78ADCC8F941, subject name: CN=vpnEngineerClientCN,OU=vpnEngineerClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 19 2024 02:00:35: %FTD-6-717022: Certificate was successfully validated. serial number: 7AF1C78ADCC8F941, subject name: CN=vpnEngineerClientCN,OU=vpnEngineerClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 19 2024 02:00:35: %FTD-7-717038: Tunnel group match found. Tunnel Group: ftd-vpn-engineer, Peer certificate: serial number: 7AF1C78ADCC8F941, subject name: CN=vpnEngineerClientCN,OU=vpnEngineerClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP, issuer_name: CN=ftd-ra-ca-common-name,OU=Cisco,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 19 2024 02:00:35: %FTD-6-113009: AAA retrieved default group policy (ftd-vpn-engineer-grp) for user = vpnEngineerClientCN
Jun 19 2024 02:00:46: %FTD-6-725002: Device completed SSL handshake with client outside:192.168.1.11/50825 to 192.168.1.200/443 for DTLSv1.2 session
This is an example of debug logs in the Lina engine during VPN connection from manager client.
Jun 19 2024 02:01:19: %FTD-7-717029: Identified client certificate within certificate chain. serial number: 1AD1B5EAE28C6D3C, subject name: CN=vpnManagerClientCN,OU=vpnManagerClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 19 2024 02:01:19: %FTD-6-717022: Certificate was successfully validated. serial number: 1AD1B5EAE28C6D3C, subject name: CN=vpnManagerClientCN,OU=vpnManagerClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 19 2024 02:01:19: %FTD-7-717038: Tunnel group match found. Tunnel Group: ftd-vpn-manager, Peer certificate: serial number: 1AD1B5EAE28C6D3C, subject name: CN=vpnManagerClientCN,OU=vpnManagerClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP, issuer_name: CN=ftd-ra-ca-common-name,OU=Cisco,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 19 2024 02:01:19: %FTD-6-113009: AAA retrieved default group policy (ftd-vpn-manager-grp) for user = vpnManagerClientCN
Jun 19 2024 02:01:25: %FTD-6-725002: Device completed SSL handshake with client outside:192.168.1.21/65501 to 192.168.1.200/443 for DTLSv1.2 session
Related Information
Configure Anyconnect Certificate Based Authentication for Mobile Access
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
22-Jul-2024 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)