CVO Mobility with SSLVPN  [Cisco IOS SSLVPN]

CVO Mobility with SSLVPN  [Cisco IOS SSLVPN] – Cisco Systems.

hostname sslvpn-gateway
!
aaa new-model
!
aaa group server radius ssl-users
server-private  auth-port 1812 acct-port 1813 key 
!
aaa authentication login default local group ssl-users
!
aaa session-id common
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip cef
!
ip domain name cisco.com
ip host sslvpn-gateway.cisco.com 
ip name-server 
!
crypto pki trustpoint SSLVPN
enrollment url http://ca-server:80
serial-number none
fqdn sslvpn-gateway.cisco.com
ip-address none
subject-name CN=sslvnp-gateway.cisco.com
revocation-check crl
!
crypto pki certificate chain SSLVPN
certificate 
certificate ca 
!
interface GigabitEthernet0/0
ip address 10.10.10.30 255.255.255.240
duplex full
speed 100
media-type rj45
negotiation auto
!
!
ip classless
ip local pool sslvpn-pool 10.10.10.50 10.10.10.100
ip route 0.0.0.0 0.0.0.0 10.10.10.40
!
!
no ip http server
no ip http secure-server
ip http authentication aaa
!
!
line con 0
exec-timeout 300 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 15
exec-timeout 300 0
password 
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179207
ntp server 
!
webvpn gateway sslvpn-gw
ip address 10.10.10.30 port 443
ssl trustpoint SSLVPN
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context tunnel
title "Welcome to SSLVPN : unauthorized access is prohibited"
title-color #336699
ssl authenticate verify all
!
!
policy group tunnelpolicy
functions svc-required
timeout idle 3555
timeout session 1209555
svc address-pool "sslvpn-pool"
svc keep-client-installed
svc split include 128.10.0.0 255.255.0.0
svc split include 144.254.0.0 255.255.0.0
svc dns-server primary 171.68.226.120
svc wins-server primary 171.69.2.87
svc wins-server secondary 171.68.235.228
default-group-policy tunnelpolicy
gateway webvpn-gw domain tunnel
inservice
!
webvpn context csd
ssl encryption
ssl authenticate verify all
!
!
policy group csdpolicy
functions svc-enabled
svc address-pool "sslvpn-pool"
svc split include 10.0.0.0 255.0.0.0
svc split include 20.0.0.0 255.255.0.0
svc dns-server primary 171.68.226.120
default-group-policy csdpolicy
gateway sslvpn-gw domain csd
csd enable
inservice
!
End

Certificate Management
The SSLVPN server can be deployed with a certificate issued by an in-house certificate server or by a public trusted certificate server (such as Verisign). If an in-house certificate server is used, the web browsers will prompt users to accept the certificate every time a session is established to the SSLVPN gateway, until the root certificate is permanently installed into the browser’s trusted root store. This can be avoided if a certificate issued by a public root is used. Most of the well-known public roots are already packaged with the prominent browsers such as Internet Explorer, Firefox, and so on.

Configuration

Note: Before doing any certificate-related configuration, make sure that the router’s clock and time zone are accurately configured.

Configuration for Offline Enrollment
crypto pki trustpoint myca
enrollment terminal
fqdn none
subject-name cn=sslvpn.mydomain.com,o=The Company,c=US,st=California
revocation-check crl
rsakeypair sslvpn.mydomain.com
The RSA key pair name and common name in the subject-name should match the actual URL used for connecting to the SSLVPN gateway. If there is a mismatch, the web browsers will issue a warning, and the users will be prompted to accept the certificate.

Configuration for Simple Certificate Enrollment Protocol (SCEP)
The following sample is for a Microsoft certificate server.
crypto pki trustpoint myca
enrollment mode ra
enrollment url http://my-ca:80/certsrv/mscep/mscep.dll
fqdn none
serial-number
subject-name cn=sslvpn.mydomain.com,o=The Company
revocation-check crl
rsakeypair sslvpn.mydomain.com

Generating an RSA Key Pair
RSA keys must be generated using the actual URL used for connecting to the SSLVPN gateway as the name.
sslvpn-gateway(config)#crypto key generate rsa general-keys label sslvpn.mydomain.com modulus 1024
The name for the keys will be: sslvpn.mydomain.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys …[OK]
The RSA keys can be generated as exportable or nonexportable. Appending the exportable keyword to the command above will generate exportable RSA keys.
Exportable RSA keys should be carefully evaluated before use, because they introduce the risk that the keys might be exposed. The advantage of using exportable keys is that in case of hardware failure, the gateway can be easily replaced with a new router, and the keys and certificates can be imported from backup. However, the saved backup copy of the keys has to be kept very safe.
Nonexportable keys cannot be copied from the gateway, but in case of “write erase,” flash corruption, or hardware failure, the certificates are lost. In this case, new certificates must be generated, and the user has the overhead of contacting the certificate vendor for new certificates, possibly at extra cost. If an in-house certificate authority (CA) server is used, this is not a big issue.

Installing an In-House Certificate
If the certificate server supports SCEP, the certificate can be requested from the CA server using the following command:

sslvpn-gateway(config)#crypto pki authenticate myca
Certificate has the following attributes:
Fingerprint MD5: 1CB6EDEA 204E5336 6FE33243 C3381FF51
Fingerprint SHA1: D91C23DB 7A04D176 F1332E3E 1F234837 63132D30
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
The certificate can then be enrolled, and the CA will send a signed certificate:
sslvpn-gateway(config)#cry pki enroll myca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: sslvpn.mydomain.com
% The serial number in the certificate will be: 00E2C3D1
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate myca verbose' command will show the fingerprint.
If the certificate server does not support SCEP, an offline method needs to be used as explained in the next section.

Installing a Certificate Issued by Public Certificate Authority
Usually the public certificate authorities use a web-based or email-based certificate enrollment mechanism.
Generating the Certificate Signing Request File
Whether the offline enrollment method is email or web, the steps on the router are the same. First, a certificate signing request (CSR) needs to be generated. The CSR can be generated only after the corresponding RSA key pair and trust point are configured. Once the CSR is generated, issue the command to complete enrollment. Authentication is not necessary at this time. It may not be known from which certificate server the certificate is going to be issued. One vendor can operate multiple certificate servers. If it is known, authentication can be performed after downloading the root certificate. If not, wait to authenticate until the certificate is issued.
The enrollment request will display the CSR on the router console, as shown below. Copy only the base64-encoded portion and save it in a text file with .csr extension. Some vendors may need it to be enclosed in "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines. The following is a sample CSR generation:
test-router(config)#crypto pki enroll myca
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=test
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBgDCB6gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDZR9FGP8ZoFBhv3EzziW7o5pJRwnen4H1Ha4n0vWGYo1+tNz915laO
rWUDk/3TqomYXykCx0U04Maec+jKhSbqy9fypp+Hvf7qEKcf2XlkXnWT7bHcIcpw
EKzOSwaOni+kagQF9Qu2+lKP59RoikEqTtqIVqqQlNGDKG+rSFc75wIDAQABoDIw
DwYJKoZIhvcNAQkHMQITADAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIF
oDANBgkqhkiG9w0BAQQFAAOBgQBFEsbPnLqHj83TMX3bSZjOz+EVWLSHXYJQgvdU
S5S3UtgCoWsalmttY5rZ+qafRwQxEE39zvOX9XnalZDgMt5+QxyZSzbu+3Nllmv7
+z5clhPFbnCW9MZrIEDkwzgniGmPB91jUfUTyoN6FTRlLTpyXVj/iOKPiljUPXOR
TZzUVA==
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
test-router(config)#
The resulting CSR file (myca.csr) will look like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBgDCB6gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDZR9FGP8ZoFBhv3EzziW7o5pJRwnen4H1Ha4n0vWGYo1+tNz915laO
rWUDk/3TqomYXykCx0U04Maec+jKhSbqy9fypp+Hvf7qEKcf2XlkXnWT7bHcIcpw
EKzOSwaOni+kagQF9Qu2+lKP59RoikEqTtqIVqqQlNGDKG+rSFc75wIDAQABoDIw
DwYJKoZIhvcNAQkHMQITADAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIF
oDANBgkqhkiG9w0BAQQFAAOBgQBFEsbPnLqHj83TMX3bSZjOz+EVWLSHXYJQgvdU
S5S3UtgCoWsalmttY5rZ+qafRwQxEE39zvOX9XnalZDgMt5+QxyZSzbu+3Nllmv7
+z5clhPFbnCW9MZrIEDkwzgniGmPB91jUfUTyoN6FTRlLTpyXVj/iOKPiljUPXOR
TZzUVA==
-----END CERTIFICATE REQUEST-----
The user must now send this CSR to the certificate vendor by email or the Internet. The vendor will return the signed certificate as a text file in base64-encoded format. Make sure that the vendor sends all the files encoded in base64; these files will usually have a .cer extension. The vendor may also provide the corresponding root certificate in the same format. If the root certificate is not provided, it can easily be exported from a standard web browser. First, open the issued certificate and look at the "issued by" field. On a Windows platform, opening the certificate is as simple as double-clicking on the .cer file. Once the issuer is identified, open the root certificate store of the browser and look for the certificate of the issuer. When it is located, export it as a .cer file.
The next step is authenticating and loading the enrolled certificate on the SSLVPN router.

Loading the Root Certificate
To load the root certificate (authentication), issue the "crypto pki authenticate " command and paste the contents of the root certificate file. Then type "quit" on a new line or simply press the Enter key on a new line.
test-router(config)#crypto pki authenticate myca
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 
Fingerprint SHA1: 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
test-router(config)#

Loading the Router Certificate
Now the certificate issued by the vendor needs to be installed on the SSLVPN router. This is the certificate identifying the server; it will be presented to SSLVPN clients during SSL negotiation. The command is “crypto pki import certificate.” Paste the certificate file content followed by “quit” or a blank line.

test-router(config)#crypto pki import myca certificate
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
% Router Certificate successfully imported
test-router(config)#
The router is now ready to function as a SSLVPN server.

Client Access Restriction
This appendix explains how to restrict access to SSLVPN full-tunnel mode based on the antivirus software and operating system on the client end host system.

Configure Using Cisco Secure Desktop
Cisco Secure Desktop has a mechanism for restricting access to SSLVPN full-tunnel mode based on the existence of antivirus software and operating system on the client PC. These access criteria are configured in the Cisco Secure Desktop admin page.
To enable checking for antivirus software and OS version, configure Cisco Secure Desktop and full-tunnel mode on the SSLVPN gateway for a virtual context.
To configure, log into https:///csd_admin, and select the correct virtual context.
Go to the VPN Feature Policy under the location for which you are configuring access.
Select “ON if criteria are matched” for full tunneling and click the “…” button.
This pops up a window where the criteria can be configured. Select the appropriate antivirus software and OS version, and save your changes.
A client who logs in from a PC that does not match the OS and antivirus criteria will not be able to establish an SSLVPN tunnel to the gateway.

This entry was posted in Cisco and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s