Practical PKI for Remote

Access VPN
Ned Zaldivar, Security Consulting Systems Engineer

BRKSEC-3053
Abstract
This is an intermediate to advanced level session that will provide a technical
overview and best practices for deploying X.509 certificates for AnyConnect client.
A number of different SSLVPN use cases, including bring your own device, will be
introduced and explained. Technologies used include Cisco ASA and Cisco
AnyConnect Secure Mobility using both Cisco ISE and Microsoft public key
solutions.
By the end of the session participants should grasp the major steps in X.509
certificate deployment and be able to make informed decisions about using
certificate authentication with Cisco solutions. The target audience are security &
network administrators.
Session Objectives
Certificates excel at 2-factor authentication or mobile platform authentication
• Certificates are easy to use and deploy

• Certificates can solve Advanced problems

• Tomorrow you will be able to deploy Advanced Use Cases for VPN!
Assumptions for ASA
• You have setup AnyConnect SSLVPN either manually or through the
ASDM/CSM SSLVPN Wizard

And you understand the basics of:

• Connection Profiles/Tunnel Group
• Group Policy
• Dynamic Access Policy
• Host scan
Assumptions for ISE
You have setup ISE and Wired/Wireless using the wizard or manually
And you understand the basics of:
• Authentication
• Authorization
• Profiling
• Posture
• Provisioning
Agenda

• PKI Overview
• CA Overview / Configuration Details
• Advanced SSLVPN with Certificates
• Troubleshooting & Management
PKI Components
Certificate
PKI Components
Certificate Authority – One source of Truth

Root CA Issuing CA

Certificate
 Certificate Revocation List
Revocation
Certificate Enforcement/Validity Check

Police

Online Certificate Status Protocol

 Certificate Revocation for VPN Explained

2) ASA Identity Certificate

Public CA
3) CRL / OCSP
Check
5) CRL / OCSP
Check 1)
Internet
Cisco ASA VPN Client

Private CA
4) Client Identity Certificate
Certificate Use Cases
VPN is just one use case!
• Certificates are the gift that keeps giving

• Quickly increase corporate security in other

areas

• Deploy once, use everywhere*

AnyConnect Secure Mobility
• SSL and IPSec VPN Client
Certificate and / or two factor authentication support
• 802.1x network supplicant
EAP-TLS support
• Broad client device support
Windows, Mac, Apple iOS, Android, Linux,
Windows Mobile, Blackberry 10
• Built-in SCEP (Certificate Provisioning) support
Easy deployment of certificates for Wired, Wireless &
VPN
Wired and Wireless 802.1x Security Policy Example
 Many Other Use Cases for Certificates!

Digital Signing
Email Decrypting TLS/SSL

Digitally Signing Documents

Agenda

• PKI Overview
• CA Overview / Configuration Details
• ISE 1.3+ Certificate Authority
• Microsoft Certificate Authority

• Advanced SSLVPN Use Cases with ISE

• Troubleshooting and Management
Certificate Authority Options

Router
MSFT
Linux
ASA

ISE
Capability / Feature
Deploy BYOD certs via VPN?     
Deploy BYOD certs wired or wireless?     
Deploy certs to Active Directory domain computers?     
Highly Scalable?     
Easily Manageable?     
Cisco BU/TAC Official Support     
Cisco ISE 1.3+ Certificate Authority
• Easy certificate provisioning for non Active Directory / Group Policy managed
devices (OS X, Mobile Devices, non-AD Windows)
• Enrollment via wired and wireless
• Deleting Endpoint deletes Certificate

• Manual Certificate Provision using RestAPI in 1.4 for devices that cannot do
BYOD provisioning (like Linux, PoS, Embedded Windows…etc)
• Ideal for Bring Your Own Device use case
• Deploy in addition to MS CA environment for corporate + BYOD!

• Not ideal for VPN delivery of Certificate

Microsoft Certificate Authority
• Active Directory Certificate Services
• Windows Server 2008 R2 (Enterprise
edition recommended)
• Server 2012 (all editions)

• Automatic Certificate Enrollment

• Group Policy push to domain
computers
• SCEP / NDES deployment to mobile /
non-AD devices
 Coming
Let’s Encrypt is a new Certificate Authority Summer
2015
• It’s free, automated, and open.
• Anvil CA based on ACME protocol
• Includes CRL/OCSP for revocation
• Nonce included

• For more information please visit

https://letsencrypt.org/
 Admin

PSN PSN

Let’s Build an ISE CA

Cisco ISE CA Configuration Step 1
• ISE CA is enabled by Default
Can be disabled
globally here • Verify enabled at
Administration>Certificates>Internal
CA Settings
Cisco ISE CA Configuration Step 2
Create Certificate Template
• Specify Template Name
• Specify other Subject fields notice
CN is already populated.
• Configure Key Size (1024-4096 bits)
• SAN is FIXED to MAC Address
• Select Internal CA for SCEP Profile
• Choose certificate validity period
Cisco ISE CA Configuration Step 3
• Create Client Provisioning Profile
• Specify Profile Name
• Specify operating system(s)
• Enable profile for wired / wireless
• Configure target SSID (wireless)
• Choose WiFi security policy and
protocol
• Allowed Protocol must be TLS
• Choose Certificate Template (from
step 1)
Cisco ISE CA Configuration Step 4

• Create Client Provisioning Policy

• Create Provisioning rule per
Operating System
• Specify Client Provisioning Profile
as “Result” (from step 3)
• Specify NSP deployment in
Authorization rule (show later).
 ISE User Enrollment experience

Certificate Provisioning
– Supports OS X, Windows,
Android, and Apple iOS
– Intended for BYOD / non Active
Directory managed clients

Recommend reviewing ISE classes

Verification of Certificate Cisco ISE Connection Log
ISE part of existing PKI environment [Option]
ISE can be a Standalone or Subordinate/Intermediate
 Admin

PSN PSN

Let’s Build a MSFT CA

Enterprise CA – Windows 2012
• Specify Enterprise CA and Root CA
Keys and Cryptography
RSA SHA256 and 2K key sizes
are recommend by Microsoft.

1k keys are no longer given

out.

Most public HTTPs sites are

using RSA SHA256 keys.
Additional CA Roles
These additional roles (services) required for
your Certificate Authority

NDES Service requires Administrator account to

belong to IIS_IUSRS group!

NDES necessary if doing ASA SCEP

Complete CA roles Root CA COMPLETE!
• Complete install and Verify!
Certificate Templates
http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
• CA’s use templates to define format and content of certificates
• Every template has an unique purpose!
• Users and computers can enroll for different types of certificates
• Each template is controlled
with Access Control List to
control read/write/enroll &
autoenroll

Example Windows
Certificate Templates
Certificate Authority Lifetime Timers
Relationship between Root and Subordinate CAs
Problem: Enterprise RootCA validity period is 2 years(default). You want SubCA
lifetime of 5 years. Default SubCA template in RootCA is 5 years.

Actual validity period is determined by 3 things

1. Max lifetime of the certificate template
2. Certificate lifetime of issuing CA (Root CA)
3. Registry setting on the issuing CA (Root CA issues the SubCA cert)

Answer: The lowest of the three values determines certificate lifetime !

Modify Certificate Lifetime Support
Relationship between Root and Subordinate CAs
Change this value on Root CA before deploying subordinate CA(s). Then change
this value on subordinate CA(s) as deployed.

From Windows Command Line (“&&” not supported from PowerShell)

• certutil -setreg ca\ValidityPeriod ”Years”  default is already “years”
• certutil -setreg ca\ValidityPeriodUnits ”5”  set 5 year maximum certificate validity
• net stop certsvc && net start certsvc  restart Certificate Services
• certutil –getreg ca | findstr “Validity”  to see existing values

http://support.microsoft.com/kb/281557
http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-for-
subordinate-ca-s.aspx
Agenda

• PKI Overview
• CA Overview / Configuration Details
• Advanced SSLVPN with Certificates
• Architecture & Use Case Requirements
• Common Tasks
• (5) Uses Cases with and without ISE
• Troubleshooting and Management
Use Case Architecture

Mobile Devices Cisco ISE for

AAA and/or
Internal CA
Internet Private Net (1.3+)

Cisco
Adaptive
Security
Appliance
Microsoft Certificate
9.4.(1)
Services 2012
Laptops / Desktops
Use Cases
• IOS/Android using DAP(UDID/Cert Check)
ASA SCEP Proxy and
• Windows/MAC using DAP with Cert Prefill LDAP AAA
• BYOD with User Certificate leveraging ISE for Authorization
• Corporate Machine Certificate using ISE for Authorization
• ISE CA for Delivery and ISE for OCSP & Authorization
Use Case Security Requirements
 Two-Factor Authentication (certificate + password) for non Tablets / Phones

 Prevent sharing of certificates by multiple users

 Check user exists in AD before allowing VPN

 Use AD group membership as criteria for allowing SSLVPN

 Check if the PC is joined to the AD domain

 Severely limit net access during certificate SCEP enrollment

 Verify Device certificate is on correct device for Tablets / Phones

Common Tasks across
SSLVPN Use Cases
What Certs do we need to Deploy?
• Identity Certificate on ASA
• Should be from Public CA (not
covered in this session!)
• Root CA certficate(s)
• Downloaded from internal CA(s)
• Installed on ASA to trust user certs
• Installed on clients to trust
authentication users (usually for
internal wired / wireless 802.1x)
• Identity Certificates on user devices
• Unique to user and / or device
• Can be ‘revoked’ upon separation
from organization
ASA Identity Certificate Troubleshooting
For SSL negotiation and navigation, there are only two pre-requisites …

1. FQDN (outside IP address/name) = Common Name (CN)

2. Certificate is Trusted by the browser/certificate store.

• Install untrusted certificate when you connect
• Use a trusted 3rd party certificate
• Pre-provision untrusted certificate in trusted certificate store
ASA Identity Certificate Troubleshooting
• FQDN / CN Mismatch and Untrusted Certificate
ASA Identity Certificate Troubleshooting
• Untrusted Cert, but matching FQDN & CommonName

To avoid this, either pre-

position certificate or
use a certificate from
Public CA like Entrust,
Verisign,GoDaddy…etc

You can also choose to

import a self-signed
ASA Identity Certificate Troubleshooting
• Will receive Certificate Warning in 9.4.1 because of new elliptical curve
cryptography for SSL/TSL. The negotiation causes the certificate warning.
• Use the CLI command below to so that only RSA based ciphers are used:
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-
SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-
MD5"

• This is covered in the releases notes for ASA

9.4http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn
94.html
Block Untrusted Servers

• Allows user to override and trust a self signed certificate

AnyConnect Local Policy
<?xml version="1.0" encoding="UTF-8"?> • Helps prevent man in the middle
<AnyConnectLocalPolicy acversion="2.4.140" attacks
xmlns=http://schemas.xmlsoap.org/encoding/
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance • Will not allow self-signed certificates
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/
AnyConnectLocalPolicy.xsd"> • End user will not be able to override
<FipsMode>false</FipsMode>
<BypassDownloader>false</BypassDownloader>
<RestrictWebLaunch>false</RestrictWebLaunch>
<StrictCertificateTrust>true</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>false</RestrictTunnelProtocols>
</AnyConnectLocalPolicy>
AnyConnect Client Settings
Automatic Cert Selection
Recommended Delivery Methods
• SCEP • SCEP Proxy • GPO
• Controlled via Client • Controlled via ASA • Supported for Domain
joined devices only
• Needs to use Pull Down • Does not need Pull Down
List List • Easiest way to roll out
• ASA communicates with User or Machine
• Direct communication with CA certificates
CA • Can use Single Connection
• Needs Multiple Conn. Profile
Profiles • Requires ASA 8.4(1)+
Recommended Delivery Methods Cont.
Managed GPO Machine
• Screenshot from
MMC/Certificate plugin
• Requires Microsoft CA
• Used for User or Machine
certificate
• Installed Machine certificate
via GPO
• Using Published
WorkStation Authentication
Template
Recommended Delivery Methods Cont.
Using ISE with Microsoft CA and ISE as a CA
• ISE 1.x with MSFT CA
• http://www.cisco.com/c/en/us/td/docs/so
lutions/Enterprise/Borderless_Networks
/Unified_Access/BYOD_Design_Guide.
html
• Wired and Wireless Only

• ISE 1.3+ with Internal CA

• Wired and Wireless Only
• Primary Use case is BYOD
• No other CA required
• Can be integrated as a Subordinate to
existing Root CA
Ensure functional DNS Name Resolution for ASA
Both ASA and VPN clients must be able to resolve internal hostnames
Without these setting configured:
• SCEP proxy will fail because ASA can’t resolve PKI related hostnames
• VPN clients will not be able resolve internal hostnames
ASA Certificate Authentication
Extracting fields
• The ASA can extract fields from a certificate 3 ways
• Use the entire name
• Use a LUA script
• Use a primary attribute

) Most common use is leveraging the CN field within the certificate and sent
over to AAA Server (ISE, LDAP/AD directly)
AAA – Dynamic Access Policies
Device ID Awareness from AnyConnect used by ASA
Windows BIOS Serial Number
Mac Device Serial Number
Linux Device Serial Number
Apple iOS UDID
Android 40byte unique ID at installation + IMEI (GSM), ESN (CDMA) +
MAC-Address
AAA – Dynamic Access Policies AnyConnect
Identity used
Device ID Awareness in AnyConnect sent to ISE
for Profiling
• Sent via Radius
• Available since ASA 9.2
• ISE 1.3 added Dictionary results
AAA – Dynamic Access Policies
Common Authorization checks using ASA (optional)

User AD group membership Machine is Domain joined

AAA Unified Agent
Authorization Posture check using ISE [Option] includes ISE
Posture in
Posture using NAC Agent AnyConnect 4.0
Machine is Domain joined
checking registry

With ASA 9.2, inline Posture node

is not required (COA)
AAA – Hostscan Checks

• Prelogin Certificate Check (optional)

• Requires Hostscan
• Only available on Windows,
MAC & Linux

User Experience on Prelogin Failure

Connection Profile/Tunnel Group -> Group Policy
Selection Options
• LDAP Mapping – LDAP Attribute maps you to a Group Policy
• Group URL/FQDN – ASA parses URL/FQDN, FQDN used must match ASA IP
• ISE/ACS Assigned using Vendor Specific Attribute (VSA)
• User Assigned (Drop down selection from Clientless or AnyConnect UI)
• Certificate Matching
BYOD ASA/AnyConnect
with Dynamic Access
Policies
Use Case 1 & 2
BYOD Access with ASA Dynamic Access Policies
• ASA SCEP Proxy providing Delivery of Certificate from Microsoft CA
• ASA providing Certificate Authentication / Validation
• LDAP Authorization

Identity
Validation/User SCEP Proxy
Cert AuthC or Cert AuthZ User
Request
OCSP/CRL
Delivery
AnyConnect Client Profile – to be pushed to clients upon connect

Two AnyConnect Client Profiles needed – one each for:

• Non-mobile devices – populates AnyConnect client with Connection profile

requiring Certificate + AAA (two factor) authentication

• Mobile devices – populates AnyConnect client with Connection profile requiring

only Certificate authentication. Embeds device serial number / UUID into SCEP
enrollment request
Delivery
AnyConnect Laptop / Desktop SCEP Use Case (CertAuthClientProfile)

Client Profile (non-mobile)

• CA URL + SCEP Host info

• %USER% as CN and/or
Email used for User
Authorization

• Other fields optional used in

Certificate enrollment request
Delivery
AnyConnect Phone / Tablet BYOD Use Case (CertAuthMobileProfile)

Client Profile (non-mobile)

• CA URL + SCEP Host info

• %USER% as CN and/or
Email used for User
Authorization

• %MACHINEID% inserted in
Department(OU) field in
order to embed device serial
number in certificate request!
Delivery
AnyConnect Phone / Tablet BYOD Use Case (CertAuthMobileProfile)

Mobile Settings (optional)

• Connect on Demand requires
Certificate Authentication

• Activate on import needed for

device to automatically select
imported profile.

• On Demand Domain list

Delivery
AnyConnect Client Profiles – Server list configuration for client drop-down

• Configure
respective Client
Profile with correct
Connection Profile
name / URL

• Must match
Connection Profile
GROUP URL
exactly
Delivery
AnyConnect Client Profiles – Server list configuration for client drop-down

• Configure
respective Client
Profile with correct
Connection Profile
name / URL
 Delivery
Connection Profiles

Single
Profile for
non mobile
enrollment
and VPN

Mobile
enrollment
»With this checkbox enabled inside the Connection Profile:
Post-enroll »a device with a certificate will authenticate (and not enroll again)
mobile VPN
»a device without will be able to enroll per Group Policy settings
Delivery
Connection Profiles URLs
“CertAuthProfile”
Laptop / Desktop VPN

“CertEnrollMobile”
Phone / Tablet PKI Enrollment

“CertAuthMobile”
Phone / Tablet VPN
Delivery
Group Policy Change for SCEP Proxy
Without this setting configured:
• a device with a certificate will authenticate
• a device without a certificate will not be able to enroll
Delivery
Bind AnyConnect Client Profile to Group Policy for delivery upon connect
• After AnyConnect Client Profile created, configure Group Policy to ‘push’ it to
clients
AAA – Two Factor (User + User Certificate)
Two factor – Best practice for Non-Mobile (CertAuthProfile)

Pre-Fill Username – Used to verify certificate to User

AAA – Certificate only authentication (plus pin lock)
Best practice for Mobile (CertAuthMobile)

Username variable
constructed from certificate
fields!

cn= username
ou= device id
AAA – Authorization for User AD
Check if user is authorized for connection

“Authorization” check (won’t work with Mobile UUID check) will not allow connection if:

• User account disabled in Active directory

• User account deleted in Active Directory

Deleting or disabling an account in Active Directory does NOT revoke certificates!

AAA – Dynamic Access Policies
3 DAP rules enforce correct policies for each connection

Dynamic Access Policies:

• Can Enforce ACL’s, restrict usage of Connection Profile or Policy, plus more
• applied in order unless a ‘terminate’ result occurs
• Multiple matches can occur which results in a merge.
AAA – Dynamic Access Policies
Security during SCEP Certificate Enrollment (Rule: SCEP_Required_ACL)

 Apply Network ACL to limit access to SCEP/CA Server during enrollment

 SCEP Proxy, only ASA needs access to CA
AAA – Dynamic Access Policies
Security during SCEP Certificate Enrollment (Rule: CertMobile-Check)

 Prevents non Tablet / Phone devices from connecting to “CertMobileAuth”

Connection Profile, which does not require two factor password
AAA – Dynamic Access Policies
Certificate move check - Cert-iOS-UUID-Check

LUA Script

 Endpoint.anyconnect.deviceuniqueid is
supplied by AnyConnect

 If this value isn’t contained in the combined

in aaa.cisco.username value then certificate
was moved!

 Aaa.cisco.username value is created by

Connection Profile Authentication
Validation
Online Certificate Status Protocol (OCSP) / Certificate Revocation List
 OCSP is a best practice for large deployments or immediate revocation
 CRL as a backup or for smaller deployments

CRL Specific Configuration

Validation
Online Certificate Status Protocol (OCSP)
ASA Certificate Troubleshooting
Chain Validated, Notice no revocation
OCSP Verification
Revoked – debug crypto ca [transactions | messages] 1-255
CRYPTO_PKI: Attempting to retrieve revocation status
CRYPTO_PKI: OCSP status is being checked for certificate. serial number:
330000001594F82695C1B6609D000000000015, subject name:
e=ned@ciscolive.demo,cn=ned.
Override was found in trustpoint: subca-ciscolive, URL found:
http://192.168.1.202/ocsp
CRYPTO_PKI: OCSP polling for trustpoint subca-ciscolive succeeded. Certificate
status is REVOKED.
OCSP Verification
Good Certificate – debug crypto ca [transactions | messages] 1-255
CRYPTO_PKI: Attempting to find OCSP override for peer cert: serial number:
330000001594F82695C1B6609D000000000015, subject name:
e=ned@ciscolive.demo,cn=ned, issuer_name: cn=WIN2012-
SUBCA,dc=CISCOLIVE,dc=DEMO.
CRYPTO_PKI: No OCSP override via cert maps found. Override was found in
trustpoint: subca-ciscolive, URL found: http://192.168.1.202/ocsp
CRYPTO_PKI: Process next cert, valid cert.
BYOD with ISE
Use Case 3
BYOD with ISE Authorization
ASA is responsible for Certificate Validation/AuthC (Leveraging ID Cert,
CA/Intermediate Certs and OCSP/CRL Checking
ISE doing Authorization on Username from Certificate

AuthZ/AuthC
ASA Integration ISE Summary
ISE
 can Authorize what is passed to the ASA eg. Common Name
 can support authentication as well eg. OTP + Cert or AD + Cert, etc
 can use AnyConnect attributes

ASA
 can only send 1 Authorization
 does the Authentication for the certificates
 validates the Certificate using Certificate store / CRL or OCSP
ASA Configuration for AuthZ
• ISE defined as
Radius Server

• Required option
for ISE Authorize
user
ISE Configuration for Authorization
• Requires Conditions
• Device Type defined
• NAS Port Type - Virtual
ISE Configuration for Authorization
 Option below is used because ASA is passing blank password

Needed for
ASA < 9.2
ISE Configuration for AuthZ
 Verify User in Domain using Authorization Policy

 Policy could be passed back, Like dACL, SGT (9.2), or Group Policy.
 Logging – ISE 1.2 AuthZ only (Pre ASA 9.2)
• Notice ISE Authentication Logs on AuthZ from ASA show Authentication
succeeded
• Details tell the real story
Logging – ISE AuthZ Successful (ASA Pre 9.2)
• Continue on
Failed
Authentication

• Certificate
Field lookup

• What ISE is
passing back
to ASA
 Logging – ISE AuthZ only (ASA Pre 9.2)
• Notice ISE Authentication Logs on AuthZ from ASA show Authentication
Failed
AAA – ISE AuthZ Failed – User Account Disabled
ISE Policy to check for
Disabled Accounts

Account is Disabled

What ISE is passing

back to ASA
Logging – ASA with ISE 1.2 AuthZ
• Success

• Failed
ASA Configuration for ISE AuthZ (>= ASA 9.2)
 AAA Server Group
Configuration on ASA
 Authorize Only
available in ASA 9.2
and above

 ISE Authentication
policy does not need to
be modified.
ISE 1.3 Authorization Successful (>= ASA 9.2)
Authorization
only Policy
Corporate Access
Use Case 4
 Corporate Access using Computer Certificate and
AD Username/Password
ASA providing Certificate Authentication / Validation
CA Public
ISE/AD Providing AAA
Only managed devices can connect!
ASA Identity Cert / Computer Cert 4
Validation/AuthC
1 2
ASA
GPO AuthZ/AuthC
for Cert Delivery 5
AD/CA
AD/CA

ISE
AAA - Authorization for Computer Account

• Required manipulation of Certificate Field for ISE

• Identity Rewrite in ISE
• LUA Script

• Or

• Modify Certificate template to include Distinguished Name

AAA - Authorization for Computer Account
What is ISE Expecting?

• Computer name must be in a

certain format for ISE to
accept

• Host/machine_name
• Host/machine_name.domain
• Machine_name$
• Machine_name$.domain
• Distinguished name*
AAA - Authorization for Computer Account
Identity Rewrite
• Global setting in ISE, Administration>External Identity Sources > Active
Directory > Advanced Settings
Logging – ISE 1.3 AuthZ Success - Computer
Authorization Only &
Identity Rewritten in
ISE

Authorization Only and

Identity was Rewritten
by ASA
AAA - Authorization for Computer Account
Identity Rewrite Using LUA on ASA
• Reformatted using
Host/machine_name.domain
• ASDM > Username Mapping from
Certificate
• Further certificate field options and
examples are covered in ASDM help
AAA - Authorization for Computer Account
• Modify Certificate Template to
include Fully Distinguished Name

• Publish Template

• No Identity Rewrite or LUA Script

required

• Default Subject name is None

AAA – Certificate authentication
Best practice for Windows GPO (Computer) – Requires AuthZ AAA Group

OR
 Connection Profile & Selection

Connection
Profile for
Machine Auth

Parse out
group using
URL or
Certificate
map
AnyConnect Client Profile Change for Machine

Client Profile needed to allow

Machine Store to be inspected
with or without Administrative
rights
 ISE as Certificate
Authority for BYOD
Use Case 5
ISE as CA for BYOD Access
• Certificate deployed via Wireless from ISE CA
• ASA Authenticates Cert & Validates using
OCSP to ISE CA
Public
• ISE for AAA
CA
Identity/User Cert
2 5
Validation / AuthC AuthC/AuthZ
OCSP
ASA 4 ISE 1.3

AD

Native Supplicant – Certificate Delivery via Wireless or Wired

1
Delivery
Authentication & Authorization Wireless_802.1X Predefined
Compound used as Trigger

Allowed Protocols should

include PEAP and EAP-TLS

EAP-TLS AuthZ Policy to

Allow Access*

PEAP Only AuthZ to trigger

Provisioning*
Delivery
Client Provisioning and Authorization OS and EAP-TLS profile
defined

Native Supplicant
Provisioning
OCSP
ASA -> ISE OCSP

URL for ASA OCSP Client,

defined by default

Default OCSP Profile

Responder on by default
OCSP
ASA -> ISE OCSP Import
SubCA/RootCA ISE
Certificates

Intermediate
required if Sub of
MSFT CA [option]

ASA OSCP Lookup

to ISE CA
 Connection Profile Selection / OCSP
ASA -> ISE OCSP ISE_CA Map used
in OCSP to
associate correct
certificate lookup.

Maps Certificate to
Correct Connect
Profile

CRYPTO_PKI: Starting OCSP revocation

CRYPTO_PKI: Attempting to find OCSP override for peer cert: serial number: 15B133D2E658491F8807B95A95CE6A00, subject name:
c=US,st=TX,l=Houston,ou=ciscolive,cn=ned, issuer_name: cn=Certificate Services Endpoint Sub CA - ise13.
CRYPTO_PKI: Match of issuer-name attr field to map PASSED. Peer cert field: cn = Certificate Services Endpoint Sub CA - ise13, map
rule: issuer-name attr cn eq certificate services endpoint sub ca - ise13.
CRYPTO_PKI: Peer cert has been authorized by map: ISE_CA sequence: 10.
CRYPTO_PKI: Found OCSP override match. Override URL: http://192.168.1.205:2560/ocsp/, Override trustpoint: Root_Internal_CA
OCSP
Certificate Hierarchy & OCSP Signing Error
The cert hierarchy looks like this: Certificate Signer
• Root -> SubCA -> Endpoint Certificate does not match
• Root-> OCSP Signer
Need CertMap with
Eg error without CertMap/Override Override to RootCA
CRYPTO_PKI: OCSP Responder cert validation failed -1
CRYPTO_PKI: Failed to verify response - invalid status being returned -1
CRYPTO_PKI: transaction GetOCSP completed
CRYPTO_PKI: Blocking chain callback called for OCSP response (trustpoint:
ISE_Internal_CA, status: 2)
OCSP
OCSP Working, but is that an Error? -> Answer: NO
Found response for request certificate!

CRYPTO_PKI: Verifying OCSP response with 1 certs in the responder chain These messages are
CRYPTO_PKI: Validating OCSP response using trusted CA cert: serial number: displayed because you
159A0691584B65BB5C9596E252F789, subject name: cn=Certificate Services
Root CA - ise13, issuer_name: cn=Certificate Services Root CA - ise13
are using a different cert
for the OCSP check. (ie
CRYPTO_PKI: Searching for ResponderID cert by keyhash
Cert MAP with Override)
CERT-C: W ocsputil.c(538) : Error #708h

CERT-C: W ocsputil.c(538) : Error #708h

CRYPTO_PKI: Validating OCSP responder certificate: serial number: 1E23C9C8FBEB4A82AF350939355CBA3E, subject

name: cn=Certificate Services OCSP Responder - ise13, issuer_name: cn=Certificate Services Root CA - ise13, signature
alg: SHA256/RSA

CRYPTO_PKI: verifyResponseSig:3191

CRYPTO_PKI: OCSP responder cert revocation check was skipped due to configuration.
OCSP
OCSP Verification using Wireless – Good Certificate Internal CA Check
Good

Root CA check
OCSP
OCSP via ISE OCSP Logs – Good Certificate
OCSP Verification ASA -> ISE CA
Certificate Valid
CRYPTO_PKI: Verifying certificate with serial number:
15B133D2E658491F8807B95A95CE6A00, subject name:
c=US,st=TX,l=Houston,ou=ciscolive,cn=ned, issuer_name: cn=Certificate
Services Endpoint Sub CA - ise13, signature alg: SHA256/RSA.
CRYPTO_PKI: Responder cert status is not revoked
CRYPTO_PKI: response signed by the CA
CRYPTO_PKI: transaction GetOCSP completed
CRYPTO_PKI: Process next cert in chain entered with status: 1.
CRYPTO_PKI: Process next cert, valid cert.
OCSP Verification ASA -> ISE CA
Certificate Revoked
CRYPTO_PKI: Verifying certificate with serial number:
15B133D2E658491F8807B95A95CE6A00, subject name:
c=US,st=TX,l=Houston,ou=ciscolive,cn=ned, issuer_name: cn=Certificate
Services Endpoint Sub CA - ise13, signature alg: SHA256/RSA.
CRYPTO_PKI: response signed by the CA
CRYPTO_PKI: transaction GetOCSP completed
CRYPTO_PKI: Process next cert in chain entered with status: 13.
CRYPTO_PKI: Process next cert, Cert revoked: 13
 OCSP Errors with ISE CA
If timing is off between ASA and ISE, OSCP will fail

CRYPTO_PKI: ERROR: OCSP validationTime < thisUpdate

12/15/2014 14:36:08 < 12/15/2014 14:47:14

*verify same NTP source

Certificate Errors with ISE CA
Certificate not valid, Missing Trustpoint -> Import ISE SubCA and Root Certificates
Endpoint Certificates
Administration>Certificates
Revoke Certificates

no Hold or Pause which is

available in MSFT CA

$Username from Certificate

Template is always CN
Agenda

• PKI Overview
• CA Overview / Configuration Details
• Advanced SSLVPN Use Cases + BYOD
• ASA
• iOS & Android / Mac & Windows
• ASA + ISE
• Corporate
• ISE as CA

• Troubleshooting & Management

Management
Troubleshooting options: Monitoring and Reporting options:
• Microsoft Certificate Services • Cisco Security Manager
• ISE CA Certificate Services • Cisco Secure Access Control Server
• ASA Certificate Logging / debugging • Cisco Identity Services Engine
• ASDM Syslog Tool
• Dynamic Access Policy + LDAP
debugging
• ISE/ACS Logging
Microsoft Certificate Authority Troubleshooting
Server Manager, Event Viewer and Certificate Services are FULL of info
ISE Certificate Authority Troubleshooting
Radius Logs, ISE Debugs – CAService, OCSP, SCEP
ASA Certificate Troubleshooting
Enable the following debugs for certificate troubleshooting on SSL
VPN sessions.

 Logging enable
 Logging class ca console debug
 Debug crypto ca 3
 Debug crypto ca transaction 3
 Debug crypto ca message 3
 Debug webvpn 255
 Debug crypto ca scep-proxy 255

Note: elevating the level to say 5 or 10 may be useful in some

cases where more detail is required.
Certificate Authentication Verification
• ciscoasa# sho vpn-sessiondb detail anyconnect
Event Monitoring- ASDM
ASDM Troubleshooting
Debug DAP

 CLI: debug dap [trace | error]

 Define logging filter for DAP

debugging to show up in ASDM
syslog tool

Example output of DAP in ASDM

ASDM Troubleshooting
Debug LDAP

 Since DAP included LDAP lookup, all the LDAP attributes are
displayed
 Especially useful when configuring authorization rules against
LDAP database
Event Monitoring- Cisco CSM 4.2+
Reporting – ACS5.x/ISE 1.x and CSM 4.2+
Certificate Enrollment
BYOD End user experience – Apple iPad

• Activate on import is
recommended in
AnyConnect Client Profile
for mobile devices.

• No need to MANUALLY
select the profile
Certificate Enrollment
BYOD End user experience – Windows 8.1
Client Certificate Troubleshooting
Result of Revoked Certificate or Other Causes
Certificate Configuration Error
• Missing Private Key (p7b)
• End User Privileges
• Certificate in wrong store
• Xml profile
Tools to help
• winhttpcert
• System events
• DART
Summary

• PKI Overview
• Overview and configuration of
ISE/Microsoft Certificate Authorities
• Advanced Use Cases using
Cisco AnyConnect with certificates
• Troubleshooting and Management
Q&A
Wrap up!
Certificates excel at 2-factor authentication or mobile platform authentication
• Certificates are easy to use

• Certificates can be made easy to deploy

• Tomorrow (tonight!) you will be able to deploy Advanced Use Cases of PKI for
VPN!
• Cisco 2015 Annual Security Report
• Now available:
• cisco.com/go/asr2015
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @n3d
• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
 • Certificate Authentication with Prefill
Demos End User Experience
• Untrusted Certificate and Manual • http://www.youtube.com/watch?v=zyG
XCKlTxQ8
SCEP example
• http://www.youtube.com/watch?v=j6C • Debug of SCEP Proxy
S2R2x1ZY • http://www.youtube.com/watch?v=tkljG
m7Lhiw
• Getting certificate using SCEP
Proxy • Certificate Authentication with ISE
• http://www.youtube.com/watch?v=l6W Authorization
7gw3f94A • http://www.youtube.com/watch?v=sHd
34CUH68A
• Debug of Revoked Certificate
Authentication • Debug of Good Certificate
• http://www.youtube.com/watch?v=Un_ Authentication
S_uJ4M1Q • http://www.youtube.com/watch?v=i6oF
g-VsaG0
Additional Information Sources
Cisco Resources
• ASA 8.X: AnyConnect SCEP Enrollment Configuration Example
• How to obtain a Digital Certificate from a Microsoft Windows CA using ASDM on
an ASA
• www.cisco.com/go/vpn
• www.cisco.com/go/anyconnect
• www.cisco.com/go/asa
• www.cisco.com/go/ise
Extras
PKI Components
Advantages of Certificates
• Two-factor Authentication using Identity Certificate (What you need) plus
username/password (What you have)
• Less expensive TCO alternative to token solutions
• Simpler end-user experience = Happier users 

• Increased protection against Phishing, MiTM and Social Engineering

Attacks
• Provides a user friendly experience for Mobile device VPN
• Automatic On-demand VPN connectivity

• Establish VPN security policy per device

Disadvantages of Certificates
VPN Use Case
• Another mouth to feed!
• Must maintain PKI server(s) and keep highly available (backups, redundancy, updates)

• Portability and Enrolling Multiple Devices

• Multiple end user devices = multiple identity certificates
• Can’t use an endpoint for VPN until it has been enrolled first

 General lack of PKI skillset in IT today

• Steeper learning curve than deploying OTP solutions
• Incorrect deployments can be insecure
Other Certificate Authorities
• On Premise
• Appliance based
• Broad feature support
• Windows & Non-Windows focus

• Hosted
• Cloud based SaaS offering
• Less care and feeding
• Usually more expensive
Certificate Authority Recommendations
If Mostly AD Domain Joined Computers:
• Microsoft Windows 2008 R2 Enterprise Certificate Authority
• Low cost, most Windows Server customers already own this
• User and Machine certificates can be auto deployed using Group Policy
• SCEP and Web enrollment support for mobile / non domain devices

Mostly non-domain joined computers and non-windows devices

• MSFT or 3rd party on premise or cloud service
• Tightly integrated with Cisco ASA
• Streamlined enrollment process
Certificate File Formats Demystified
• DER (.der .cer) – Distinguished Encoding Rules
• Binary encoded single cert per file
• Cannot copy / paste

• PEM – Privacy Enhanced Mail

• (.pem .cer .crt)
• Base64 encoded text
• Can copy / paste

• PKCS #7 (.p7b .p7c)

• Like PEM with root cert chain
• PKCS #12 (.pfx .p12)
• Like PKCS #7 w/ Private Key!
Types of Client Digital Certificates
1. User (identity) Certificates

2. Device / Computer (identity) Certificates

1. Hybrid Certificates
• Multiple fields for different
• identity characteristics
• (i.e. username + device
• serial number)
How Identity Certificates Work
VPN Use Case – Exchange of Certificates
 Certificate validation steps:
– Has the digital certificate been issued by a trusted CA?
– Is the certificate expired? (start + end date validity check)
– Has the certificate been revoked? (OCSP or CRL check)
– Does the VPN URL match the CN or SAN field in the certificate?
 Protects against Man in the Middle Attacks
– ASA checks against a known trusted CA
Certificate Revocation Explained
• Certificate Revocation List (CRL)
• Flat text file containing serial numbers of revoked certificates
• May be retrieved via HTTP / LDAP

• Delta CRL
• CRL “update” containing only “new” revoked serial numbers since last update
• Limited Device / client support!

• Online Certificate Status Protocol (*best practice)

• Protocol to request revocation status of an individual certificate serial number
• Usually a dedicated server separate from Certificate Authorities
• Requests can be digital signed (must not require signing, per RFC 2560)
How Identity Certificates Work
VPN Use Case – Parsing of Certificate Attributes

Subject (CN)
&
Subject
Alternative Name
(SAN) fields
How Identity Certificates Work
Forcing per user cert authentication
 BYOD Certificate Deployment
 SCEP Proxy “hides” CA Server from Client
 Client creates public / private key pair locally before sending Certificate
Signing Request (CSR) inside of SCEP session

SCEP sends CSR to CA

ASA http relays CSR from

client and PKCS7 from CA
Relayed Response with
certificate chain from CA

AnyConnect / ASA Certificate

Client Browser Headend Authority
Common x.509 Certificate Myths!
• Confusing end user experience! • Hard to deploy!
• Which certificate do I choose and • Takes forever to setup and get right
when? • Hard to create a robust PKI in house,
• Certificate warning pop-ups huge project
• Tedious and confusing certificate • Hard to get certificate to user / device
enrollment process for each device!
• Hard to manage!
• Takes several FTE to run this thing
• Not true two-factor • Lots of care and feeding
authentication! • Troubleshooting is a nightmare
• Anyone on the PC can use my VPN
• Everyone has the same certificate
Common Myths Busted!
• Confusing end user experience? • Hard to deploy?
• In most cases the user will not • Usually a skillset issue not a
interact with a certificate technology issue
• Even enrollment can be made • Can be deployed in about a day using
completely transparent to the end- MSFT AD CA
user • Complete automation for AD domain
• Certificates = Happy Users  PC’s
• Not true two-factor • Hard to manage?
authentication? • Once deployed there is very little on-
• Accepted by PCI, FISMA, NIST… going maintenance or management
• Needs to be identity based certs not • Cisco ASA provides easy to
shared certs understand error logs when something
• Can be paired with local device lock /
goes wrong
login requirement
 CA Roles Defined

• Certificate Authority: Required for CA services

• Certificate Authority Web Enrollment: Provide enrollment for devices not joined to domain and
users of non-Microsoft OS’s.
• Certificate Enrollment Policy Web Service: Uses HTTPS and CEWS(below) to enroll clients
who is not a member of a domain or not joined to a domain.
• Certificate Enrollment Web Service: Uses HTTPS and CEPWS(above) to enroll clients who is
not a member of a domain or not joined to a domain.
• Network Device Enrollment Service: Same as SCEP (Simple Certificate Enrollment Prototol).
• Online Responder: Based on Online Certificate Status Protocol(OCSP) to dynamically manage
revoked certificates.
Microsoft 2008 R2 Editions
Summary on GPO Certs / Auto Enrollment
Easy but be careful!
5 Steps – Almost too easy!
1) Duplicate/Modify Template (User / Computer)
2) Security - Group (Domain Users/ Domain Computers)
3) Permissions - set Autoenroll to deny
4) Publish
5) Domain Policy Change enabling auto enrollment
(Computer and User)
6) Verify and then Go back to Template Permissions -> set Autoenroll to Allow
Microsoft CA Event Viewer
Works on Vista/Win7 or CA Server 2008
For more detailed logs turn on CryptoAPI 2.0 Diagnostics logging
1. In the Event Viewer, navigate to Application Logs > Microsoft> Windows>
CryptoAPI 2.0 or CAPI2 for the CryptoAPI 2.0 channel
2. Right-click, Enable Log
Certificate Delivery Failure (ASA or ISE)
NDES Service Template Expiry

• These certs cannot auto renew. The default template is 2 years.

• http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-
enrollment-service-ndes-in-active-directory-certificate-services-ad-
cs.aspx#Renewing_Service_Certificates
Certificate Delivery Failure (ASA or ISE)
NDES Service Template Expiry

There are 2 ways to solve the problem (once you hit it)
• Use the NDES Service Account and using MMC -> Certificates (computer
account) and renew the certs (I did not know the password)
• Remove NDES feature from the CA (role) and re-add (this worked for me).

Best Practices is modify the service templates for CEP Encryption and
Exchange Enrollment to longer than 2 years.
 Let’s Build a Root CA!
Install the 2012 R2 server

Building the Enterprise Root CA Add Roles and Features

CA Name and Validity Period
Default validity period is 5 Years.
Add AD Certificate Services Role
Add AD Certificate Services
CA Role install
Must install Certificate Authority first over others!
Continuing Certificate Services Install

Click on Add Roles and Features to finish

additional CA services install.
Additional Certificate Services…
Add remaining certificate services
Configure Certificate services
 CA Roles Defined

• Certificate Authority: Required for CA services

• Certificate Authority Web Enrollment: Provide enrollment for devices not joined to domain and
users of non-Microsoft OS’s.
• Certificate Enrollment Policy Web Service: Uses HTTPS and CEWS(below) to enroll clients
who is not a member of a domain or not joined to a domain.
• Certificate Enrollment Web Service: Uses HTTPS and CEPWS(above) to enroll clients who is
not a member of a domain or not joined to a domain.
• Network Device Enrollment Service: Same as SCEP (Simple Certificate Enrollment Prototol).
• Online Responder: Based on Online Certificate Status Protocol(OCSP) to dynamically manage
revoked certificates.
Configure CA Roles

• Cannot install Certificate Authority and

NDES simultaneously!
• Must install separately or will see Error
condition below.
Enterprise CA
Specify Enterprise CA and Root CA
Additional CA Roles
Administrator account MUST belong to
IIS_IUSRS group!
Creating User Certificate Template
• Required for deployment. Must duplicate default template!
• Tools > Certificate Authority > Certificate Template(right-click) > Manage
 User Template Settings
Uncheck private key to be exported!
• 2k sized keys is
standard
• Larger keys will
have impact on ISE
and ASA
performance

• Key size larger than

1024 will impact ASA
5505,10,20,40,50
sizing for SSL
Creating User Certificate Template

Default
Default
 Workstation Template
• Required for Machine Authentication (EAP-TLS)
• Required for EAP Chaining
• Certificate Authority > Certificate Template, (right-
click) > Manage
• Certificate Template >
WorkstationAuthentication,(right-click) > Duplicate
Enable AutoEnrollment in GPO (Computer/User)
GPO Authorization
Customer disabled support for certificates in GPO

Verify GPO policies allow certificates to be used for authentication

Verification of User and Machine templates
• Can issue “gpupdate.exe /force” at DOS Command Prompt
• Check C:\Users\<yourname>\mmc for deployed certs
• If no success, check Domain Users/Machine Permissions and GPO!

Default
Regedit for MSCEP (NDES)
• Computer\HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
• Must match desired template name exactly
• Only single template allowed for all SCEP enrollments

TemplateName
IIS Manager: IP and Domain Restrictions
Restricting SCEP Requests to Trusted Hosts (ASA)
• Add Roles and Features > Web Server (IIS) > Security > IP and Domain
Restrictions > Restart IIS Service! (GUI different from Windows 2008)
• Actions Menu> Add Allow/Deny Entry…
IIS Manager: IP and Domain Restrictions
Restricting SCEP Requests to Trusted Hosts (ASA)
• (Optional) Domain name Restrictions
• Dramatically affect server performance…. Per Microsoft…
Potential Certificate Error

• From (CCO) published ISE+Windows 2008 Server

configuration guide,
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterpr
ise/design-zone-security/howto_60_byod_certificates.pdf

• In Windows 2012 R2, leave Issuance Policies Blank

(default)!
Other Potential Certificate Errors…

Email info missing from User account

Didn’t modify/duplicate the default template

Most likely mismatching Extensions or Issuance Policy

Workstation Template
Default Subject name format=None
Certificate Revocation List (CRL)

• CRL enables the revocation of certificates by publishing a list of revoked certificates

• A client will fetch the CRL periodically from the CRL Publisher with HTTP, LDAP, File
Share, etc.
• CRL pros and cons:
• The Revocation List can get quite large over time: Will consume resources to download and
process
• Delta CRLs can be used to alleviate this problem but not all clients support them (ISE only
support Full CRLs)
• A device with a revoked certificate could still have access for some time since CRL are not real-
time
• OCSP is generally preferred over CRL
CRL – Certificate Authority Configuration
1

In the Certificate Authority tool -

> right-click Revoked
Certificates

• Short CRL interval -> more

bandwidth and resources used on
CA and ISE

• Long CRL interval -> certificate

revoked could have access for some
2 time

• Alternative: Manually publish the

CRL after revoking a certificate

• N.B.: Delta CRLs are not supported

with ISE!!
CRL – Certificate Authority Configuration
1

• Right Click your CA ->

Extensions

• Select Certificate
Distribution Point

Add a URI Location: This will be

the location your clients will use
to download the CRL!!!
Online Certificate Status Protocol (OCSP)
• OCSP enables the real-time validation of a certificate status between the Radius server
and the Certificate Authority during the 802.1X authentication phase
• An OCSP responder will fetch the CRL dynamically from the CRL Publisher and expose it
to the outside world with HTTP, LDAP, SMTP, etc. (ISE and ADCS support HTTP)
• OCSP comparison with CRL:
• More up-to-date information on certificate status
• Client does not have to download the whole CRL -> Uses much less bandwidth and resources to
process
• Can be subject to replay attacks
OCSP Configuration
3 main steps are required for the OCSP service:

• Create the OCSP Responder Template

• Duplicate the built-in “OCSP Response Signing Template”
• Configure the Certificate Authority for OCSP
• Including the AIA extension for the OCSP URL
• Configure the OCSP Responder parameters
 Turn on OCSP
1. OCSP template - Add Enroll Permission to CA Computer account

2. Add Revocation Configuration from Online Responder Snap-in

OCSP Success
IIS Security Limits: Max URL Length
• SCEP clients can possibly generate long URLs that exceeds the IIS Web Server
default limit (4096).
• From the NDES server CLI:
%systemroot%\system32\inetsrv\appcmd.exe set config
/section:system.webServer/
security/requestFiltering /requestLimits.maxQueryString:"8192" /commit:apphost
• http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-
software/116068-configure-product-00.html#anc10
IIS Security Limits: Max URL Length
1. Via IIS Manager GUI, select Default Web
Site > Request Filtering>(right-click)Open
Features
2. Choose Rules Tab > Edit Features
Settings

3. Extend Max URL Length (Bytes)

4. Reboot!
Cisco ASA Certificate Authority
Summary
• Free with ASA, no extra licensing
• Simple functions, limited scaling
• No support for High Availability
(no clustering or failover of CA)
• Cannot be subordinate CA, only standalone
Root
Cisco ASA Certificate Authority
Configuration Best Practices
• Small deployments only <50
• Manual Backup/Restore Regularly (all
certificates and private keys stored in flash)
• Would not recommend Manual SCEP
• ASA Root CA can be manually exported for
use in multiple ASA’s (see backup slides!)
Cisco ASA CA Configuration

Minimum configuration steps:

1. Passphrase to secure CA key
files
smtp.corp.com

2. Email server settings to notify

users of enrollment
ASA CA Operations
ASA CA User Enrollment experience
Cisco ASA SSLVPN Connection Log
How to Export Local ASA CA Cert
Steps:
1. Copy ASA certificate chain (i.e. LOCAL-CA-SERVER.p12) to any PC
with OpenSSL
2. “openssl pkcs12 -in LOCAL-CA-SERVER.p12 -out asa-ca.pem -
nodes –nokeys”
3. Import asa-ca.pem to ‘other’ ASA’s via ASDM or CLI
4. Manually add CRL URL to ‘other’ ASA

** Note private keys do not need to be moved **

AAA
Device/AD Authorization for Mobile
• Input Device ID into extensionAttribute1
• If multiple devices, leverage
extensionAttribute#
• Device ID can be retrieved from syslog or
require pre-registration of mobile devices.
• Pre-registration is a best practice because it
lets you set standards for your IT to support.
ASA SCEP Proxy Connection Flow
AnyConnect handles with and without Certificate
AAA – Dynamic Access Policies
Restrict while doing enrollment

SCEP Required is a value that is populated true when you fail certificate
authentication and the connection profile is set for SCEP Proxy

Leverage this field in a DAP rule to further control security of enrollment

Signature Verification Steps
Separate the message from the signature

Message Signature
1. Hash the message 1. Decrypt the signature
using the public key
2. Decrypted signature
should contain the
hash of the message

If Hashes
Are Equal
Signature Is
Verified
Advanced DAP
Example of Advanced LUA using Certficate Checks

assert(function()
for k,v in pairs(endpoint.certificate.user) do
if (EVAL(v.md5_hash, “EQ“, aaa.ldap.physicalDeliveryOfficeName, ”string”)) and
(EVAL(endpoint.certificate.user.issuer_cn, “EQ”, “Joe Smith”)) and
(EVAL (EVAL(endpoint.device.id, “EQ”, endpoint.certificate.user.subject_e, “string”) )
then
return true
end
end
return false
end)()
Management
Debug Cert

A Debug of Valid Cert

Management
Debug Cert

A Debug of Revoked Cert

Management
Debug Cert
Debug of Valid Cert Chain
 ASA Certificate Troubleshooting
Revocation status check – ASDM Log
• Certificate chain was successfully validated with revocation status check.

• No-check extension found in certificate. OCSP check bypassed.

• CSP response received.

• OCSP status is being checked for certificate. serial number: 330000001594F82695C1B6609D000000000015, subject
name: e=ned@ciscolive.demo,cn=ned.

• Found a suitable trustpoint subca-ciscolive to validate certificate.

• Identified client certificate within certificate chain. serial number: 330000001594F82695C1B6609D000000000015,

subject name: e=ned@ciscolive.demo,cn=ned.

• Certificate was successfully validated. Certificate is resident and trusted, serial number:
3300000006BB5971B269ABC1CB000000000006, subject name: cn=WIN2012-SUBCA,dc=CISCOLIVE,dc=DEMO.

• Certificate was successfully validated. Certificate is resident and trusted, serial number:
7AC53A4141EF36B747B8D0F25F355E10, subject name: cn=WIN2012-ROOT-CA,dc=CISCOLIVE,dc=DEMO.

• Validating certificate chain containing 3 certificate(s).

AnyConnect Attributes in ISE – ACIDEX [Option]
Certificate Authorities
• ISE CA

http://www.cisco.com/c/en/us/td/docs/security/ise/1-
3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_C0EDF372974E459CA8
E4A14389853525

• MSFT Active Directory Certificate Services

http://technet.microsoft.com/en-us/windowsserver/dd448615.aspx

• IOS CA server

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_brief0900aecd802b6403.html

• ASA CA server (limited to SSL client certificates only)

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1067517

• Public Key Cryptography Services

http://en.wikipedia.org/wiki/PKCS
AAA – Dynamic Access Policies
Device ID is present in LDAP (optional)

 Leverage field in AD like

Aaa.ldap.extenstionAttribute1

 Endpoint.
anyconnect.deviceuniqueid

 If NE, then device is not

authorized

Requirement:
 Pre-registration of Device
AAA – Dynamic Access Policies
Device not Authorized

deviceuniqueid NE ldap.extensionAttribuite1
AAA – Dynamic Access Policies
Awareness in AnyConnect sent to ISE
• With ISE 1.3 with AnyConnect 4.0 (Windows/Mac) this data can be used for
profiling.
Configuration Steps Overview
Cisco ASA: Cisco ISE:
1. Identity Certificate 1. Configure VPN as NAD
2. Install Root/Issuing CA Certs 2. Option: Configure Policy Set
3. Modify your Connection Profiles 3. Configure Authentication Policy
4. Create AnyConnect Client Profiles 4. Configure Authorization Policy
5. Modify Group Policy 5. SCEP RA Profile for MSFT CA
6. Create Dynamic Access Policy (DAP) 6. Intermediate CA Cert Integration
rules
7. ISE configured as AAA Server Microsoft Certificate Services
ISE Certificate Authority