BRKSEC-2053
BRKSEC-2053
Cisco Public
Abstract
This intermediate level session will provide a technical overview
and best practices for deploying X.509 certificates for two-factor
authentication to support AnyConnect client. A number of different
SSLVPN use cases including bring your own device will be
introduced and explained. The recommended solutions will focus
on ease of use and manageability with detailed configuration
examples. Technologies used include Cisco ASA and Cisco
AnyConnect Secure Mobility using both Cisco and MSFT public
key solutions. By the end of the session participants should grasp
the major steps in X.509 certificate deployment and be able to
make informed decisions about using certificate authentication
with Cisco solutions.
BRKSEC-2053
Cisco Public
Agenda
Making the case for Identity-based Digital Certificates
Using best practices to Simplify the Deployment of Certificates for VPN
Best Practices Case Study Cisco Anyconnect SSLVPN with
certificates
Case Study Demo
Q&A
BRKSEC-2053
Cisco Public
BRKSEC-2053
Cisco Public
2. Device Certificates
A certificate that contains a device specific
attribute
Cisco Public
Cisco Public
Cisco Public
BRKSEC-2053
Cisco Public
10
http
CA
Delta CRL
OCSP (online certificate status protocol)
Request/response per certificate check
Near real-time updates
OCSP Server gathers CRLs from one or many CAs
Nonce helps defeat replay attacks
BRKSEC-2053
Cisco Public
11
BRKSEC-2053
Cisco Public
12
BRKSEC-2053
Cisco Public
13
Advantages of Certificates
Two-factor Authentication using Identity Certs plus username/password
Less expensive TCO alternative to token solutions
Simpler end-user experience = Happier users
BRKSEC-2053
Cisco Public
14
Disadvantages of Certificates
VPN Use Case
Cisco Public
15
Hard to manage!
Takes several FTE to run this thing
Troubleshooting is a nightmare
BRKSEC-2053
16
Hard to manage!
BRKSEC-2053
Cisco Public
17
SSLVPN Client
BRKSEC-2053
CA Server
ASA Headend
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
User and Machine certificates are the gift that keeps on giving
Quickly increase corporate security in other areas
BRKSEC-2053
Cisco Public
19
Cisco Public
20
Embedded Anyconnect
Allows certificate based embedded SSL VPN for seamless user experience
BRKSEC-2053
Cisco Public
21
BRKSEC-2053
Cisco Public
22
BRKSEC-2053
Cisco Public
23
Agenda
Making the case for Identity-based Digital Certificates
Using best practices to Simplify the Deployment of Certificates for VPN
Best Practices Case Study Cisco Anyconnect SSLVPN with
certificates
Case Study Demo
Q&A
BRKSEC-2053
Cisco Public
24
Easy to Deploy
Setup a CA deployment quickly and easily
Deploy Identity certificates quickly to end users
BRKSEC-2053
Cisco Public
25
Both sides, ASA and VPN clients, need proper certificate chains in place
BRKSEC-2053
Cisco Public
26
BRKSEC-2053
Cisco Public
27
BRKSEC-2053
Cisco Public
28
BRKSEC-2053
Cisco Public
29
BRKSEC-2053
Cisco Public
30
Hosted
Cloud based SaaS offering
Less care and feeding
BRKSEC-2053
Cisco Public
31
Cisco Public
32
BRKSEC-2053
Cisco Public
34
smtp.corp.com
BRKSEC-2053
Cisco Public
35
Cisco Public
36
BRKSEC-2053
Cisco Public
37
Configuring Microsoft CA
Best Practices!
BRKSEC-2053
Cisco Public
39
BRKSEC-2053
Cisco Public
40
BRKSEC-2053
Cisco Public
41
BRKSEC-2053
Cisco Public
42
Cisco Public
43
BRKSEC-2053
Cisco Public
44
GPO Authorisation
Just in case
Verify GPO policies allow certificates to be used for authentication
BRKSEC-2053
Cisco Public
45
BRKSEC-2053
4. Open Regedit
5. HKEY_LOCAL_MACHINE\SOFTWARE\Microso
ft\Cryptography\MSCEP
5. Change GeneralPurposeTemplate to match
the new clone
6. Optional: Disable Force OTP for SCEP
7. Reboot CA Server
Cisco Public
46
BRKSEC-2053
Cisco Public
47
BRKSEC-2053
Cisco Public
48
BRKSEC-2053
Cisco Public
49
50
Certificate Troubleshooting
Chain of certificates may be incomplete
-Match Authority Key Identifier field to CA Root Cert(s)
User Cert
CA Root Cert
BRKSEC-2053
Cisco Public
51
MSFT CA Troubleshooting
Server Manager, Event Viewer and Certificate Services are FULL of info
BRKSEC-2053
Cisco Public
52
BRKSEC-2053
Cisco Public
53
BRKSEC-2053
Cisco Public
54
BRKSEC-2053
Cisco Public
55
Reporting- ACS 5
BRKSEC-2053
Cisco Public
56
Agenda
Making the case for Identity-based Digital Certificates
Using best practices to Simplify the Deployment of Certificates for VPN
Best Practices Case Study Cisco Anyconnect SSLVPN with
certificates
Case Study Demo
Q&A
BRKSEC-2053
Cisco Public
57
Assumptions
You have setup an AnyConnect SSLVPN either manually or through the ASDM
SSLVPN Wizard
BRKSEC-2053
Cisco Public
59
Internal Network
Internet
Cisco ASA
ASA 8.4.2+
BRKSEC-2053
AD / Certificate Authority
Windows 2008 R2
Cisco Public
60
BRKSEC-2053
Cisco Public
61
BRKSEC-2053
Cisco Public
62
SCEP Proxy
Controlled via Headend
Does not need Pull Down List
ASA communicates with CA
Can use Single Connection Profile
Caveats
Requires Premium AC License
Requires ASA 8.4(1)+
GPO
Supported for Domain joined devices only
***Easiest way to roll out certificates
BRKSEC-2053
Cisco Public
63
BRKSEC-2053
Cisco Public
64
SCEP Delivery
Connection Profiles
SCEP
BRKSEC-2053
Cisco Public
65
Delivery
Group Policy Change for SCEP Proxy
BRKSEC-2053
Cisco Public
66
Delivery
AnyConnect SCEP Configuration
Client Profile
Requires CA URL
Automatic SCEP Host
Certificate Enrollment Group
%USER% as CN and/or Email
used for User Authorisation
BRKSEC-2053
Cisco Public
67
Delivery
Mobile Device Specific Configuration
Mobile Settings
Connect on Demand requires
Certificate Authentication
Activate on import needed for
device to automatically select
imported profile.
On Demand Domain list
BRKSEC-2053
Cisco Public
68
Delivery
Device Based Certificates
Client Profile
%MACHINEID% used to input
in certificate request [optional]
Notice %USER% is not in CN
to enforce Device/Certificate
Pair
Dynamic Access Policy will be
used to verify device/certificate
pair
BRKSEC-2053
Cisco Public
69
Delivery
Using Microsoft CA with GPO and SCEP/NDES
SCEP configuration for CA
BRKSEC-2053
Cisco Public
70
Delivery
End-user Experience
BRKSEC-2053
Cisco Public
71
BRKSEC-2053
Cisco Public
72
BRKSEC-2053
Cisco Public
73
BRKSEC-2053
Cisco Public
74
AAA
Check if user is authorised for connection
Scenario: Need to deny a user access when using Certificate only Auth
IT process: 1) IT revokes cert, validity period is 24hrs.
2) IT disables users AD account, takes effect immediately.
User valid? - Verifies User is in AAA database
BRKSEC-2053
Cisco Public
75
AAA
Optional Common Authorisation checks
DAP for checking User
AD group membership
BRKSEC-2053
Cisco Public
76
AAA
Restrict Devices During SCEP Certificate Enrollment
Scep.required is a new field that is populated true when you fail certificate
authentication and the connection profile is set for SCEP Proxy
Cisco Public
77
AAA
Security During SCEP Certificate Enrollment
Apply Network ACL to limit access to SCEP/CA Server during
enrollment
ACL Required for SCEP but not SCEP Proxy
BRKSEC-2053
Cisco Public
78
AAA
Device ID Awareness in ASA
WindowsBIOS
Serial Number
Mac
Linux
Apple iOS
UDID
Android
BRKSEC-2053
Cisco Public
79
AAA
Device Certificate is on Correct Device
Endpoint.certificate.user[
0].subject_cn
Endpoint.device.id is
copied from anyconnect
If NE, then certificate
has been moved.
BRKSEC-2053
Cisco Public
80
BRKSEC-2053
Cisco Public
81
Validation
Online Certificate Status Protocol (OCSP) / Certificate Revocation List (CRL)
OCSP is a best practice for large
deployments or immediate revocation
CRL as a backup or for smaller deployments
BRKSEC-2053
Cisco Public
82
BRKSEC-2053
Cisco Public
83
Management
CA Server Windows 2008
BRKSEC-2053
Cisco Public
84
Management
CA Server MMC snap-in
Verify/Revoke/Pending Requests
BRKSEC-2053
Cisco Public
85
Management
Certificate Validation in Syslog
Certification validation
Fields in the certificate can be used for comparison to CA
BRKSEC-2053
Cisco Public
86
Management
ASA Certificate Debugging
BRKSEC-2053
Cisco Public
87
Management
Debug DAP
CLI: debug dap [trace | error]
Define logging filter for DAP
debugging to show up in ASDM
syslog tool
BRKSEC-2053
Cisco Public
88
Management
Debug LDAP
Since DAP included LDAP lookup, all the LDAP attributes are
displayed
Especially useful when configuring authorisation rules against
LDAP database
BRKSEC-2053
Cisco Public
89
Management
Device Not Authorised
deviceuniqueid NE ldap.extensionAttribuite1
BRKSEC-2053
Cisco Public
90
In summary
Certificates excel at 2-factor auth or mobile platforms auth
Certificates are easy to use
BRKSEC-2053
Cisco Public
92
Microsoft CA Server
http://www.cisco.com/en/US/product
s/ps6120/products_c
aonfiguration_example09186a0080b
25dc1.shtml
http://technet.microsoft.com/enus/library/cc770357
http://www.cisco.com/en/US/product
s/ps6120/products_configuration_ex
ample09186a008073b12b.shtml
http://technet.microsoft.com/enus/library/cc753828
www.cisco.com/go/vpn
http://technet.microsoft.com/enus/library/cc753778
http://technet.microsoft.com/enus/library/cc732625
www.cisco.com/go/anyconnect
www.cisco.com/go/asa
BRKSEC-2053
Cisco Public
93
Final Thoughts
Visit www.ciscoLive365.com after the event for updated PDFs,
on-demand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
BRKSEC-2053
Cisco Public
94
Q&A
BRKSEC-2053
Cisco Public
96
BRKSEC-2053
Cisco Public
Extras
What Is a Certificate?
Each client sends its public key and Identity information to a third
party
That third party digitally signs the clients public key with its
private key, binding it with identity information; this is a certificate
The trusted third party is called a certificate authority
BRKSEC-2053
Cisco Public
99
AAA
Optional: Device is present in LDAP
BRKSEC-2053
Cisco Public
100
AAA
Optional: Device / AD Authorisation for Mobile
Input Device ID into extensionAttribute1
BRKSEC-2053
Cisco Public
101
Signature
1. Decrypt the signature
using the public key
2. Decrypted signature
should contain the hash
of the message
If Hashes
Are Equal
Signature Is
Verified
BRKSEC-2053
Cisco Public
102
Certificate Authorities
Additional Information
Microsoft CA server
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
IOS CA server
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_brief09
00aecd802b6403.html
ASA CA server (limited to SSL client certificates only)
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ce
rt_cfg.html#wp1067517
BRKSEC-2053
Cisco Public
103
BRKSEC-2053
Cisco Public
104
and
then
return true
end
end
return false
end)()
BRKSEC-2053
Cisco Public
105
Logging enable
Logging class ca console debug
Debug crypto ca 3
Debug crypto ca transaction 3
Debug crypto ca message 3
BRKSEC-2053
Cisco Public
106
Turn on OCSP
1. OCSP template - Add Enroll Permission to CA Computer account
BRKSEC-2053
Cisco Public
107
OCSP Success
BRKSEC-2053
Cisco Public
108
BRKSEC-2053
Cisco Public
109