VPN smartcard access

[dunks59]

I'm setting up a remote access VPN with a Microsoft CA. I had the thing working but at the last point I changed out the trustpoint in order to get the CRLs working. While that all works fine now and the router checks if the cert is still valid I managed to break everything.

After the cert is authenticated I get the following error.

CRYPTO_PKI: Certificate validated
CRYPTO_PKI: valid cert status.

Right after this the client connection terminates. With

"Secure VPN Connection termined locally by the Client. Reason 412: The remote peers is no longer responding."

I turn on ldap debbing but it doesn't even get to the point of attempting to auth user via the aaa server.

I can paste the whole config but didn't want to go through parsing the beast to take out private stuff.

Anybody have an idea on this?

 

[dunks59]

Looked at it a little more. This is the entire output of the debug ca when I try and get a client to connect.

"CRYPTO_PKI: Ignoring self signed certificate received from peer

CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 12139FF2000000000026, subject name: cn=testvpn,cn=Users,dc=ra,dc=domain,dc=com, issuer_name: cn=ra-DC01-CA,dc=ra,dc=domain,dc=com.

CRYPTO_PKI: Processing map rules for ra_ca_map.
CRYPTO_PKI: Processing map ra_ca_map sequence 10...
CRYPTO_PKI: Match of subject-name field to map PASSED. Peer cert field: = cn=testvpn,cn=Users,dc=ra,dc=domain,dc=com, map rule: subject-name ne "".
CRYPTO_PKI: Peer cert has been authorized by map: ra_ca_map sequence: 10.
CRYPTO_PKI: Tunnel Group Match on map ra_ca_map sequence # 10. Group name is ra_tun_group

CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 12139FF2000000000026, subject name: cn=testvpn,cn=Users,dc=ra,dc=domain,dc=com
CRYPTO_PKI: Verifying certificate with serial number: 12139FF2000000000026, subject name: cn=testvpn,cn=Users,dc=ra,dc=domain,dc=com, issuer_name: cn=ra-DC01-CA,dc=ra,dc=domain,dc=com.

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI(Cert Lookup) issuer="cn=ra-DC01-CA,dc=ra,dc=domain,dc=com" serial number=12 13 9f f2 00 00 00 00 00 26 | .........&

CRYPTO_PKI: looking for cert in handle=d4653200, digest=
46 ed 8a 7a c4 22 d6 8e 76 66 1c 7f 51 f8 94 54 | F..z."..vf.Q..T

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint ra-trust-point.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.4.1.311.10.3.4
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.4.1.311.10.3.4, NOT acceptable
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.4
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.4, NOT acceptable
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI: Starting CRL revocation check.
CRYPTO_PKI: Attempting to find cached CRL for CDP LDAP: cn=ra-DC01-CA,dc=ra,dc=domain,dc=com
CRYPTO_PKI: Select crl(cn=ra-DC01-CA,dc=ra,dc=domain,dc=com)
CRYPTO_PKI: Found CRL in cache for CDP: LDAP: cn=ra-DC01-CA,dc=ra,dc=domain,dc=com, status 0.

CRYPTO_PKI(select cert) subject = cn=ra-DC01-CA,dc=ra,dc=domain,dc=com
CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: Certificate is not revoked!

CRYPTO_PKI:Certificate validated. serial number: 12139FF2000000000026, subject name: cn=testvpn,cn=Users,dc=ra,dc=domain,dc=com
CRYPTO_PKI: Certificate validated
CRYPTO_PKI: valid cert status."

 

[dunks59]

Ok, and below is the configure. (kind of heavily modified but hopefully this helps.)

"
show run
: Saved
:dc=domain,dc=com
ASA Version 8.0(4)
!
hostname ra01
domain-name domain.com
enable password xxxxx encrypted
passwd xxxxx encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
banner motd Ur in...
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.x
name-server 4.2.2.2
domain-name domain.com
access-list outside_cryptomap_65535.2 extended permit ip interface outside host x.x.x.x
pager lines 24
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
logging host outside x.x.x.x
mtu outside 1500
mtu inside 1500
ip local pool ra_ip_pool x.x.x.x-x.x.x.x mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside x.x.x.x 255.255.255.255 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map memberOf
map-name memberOf Tunneling-Protocols
map-value memberOf CN=ASAUsers,CN=Users,DC=domain,DC=com 20
map-value memberOf CN=TelnetClinets,CN=Users,DC=domain,DC=com 1
ldap attribute-map msNPAllowDialin
map-name msNPAllowDialin Tunneling-Protocols
map-value msNPAllowDialin FALSE 1
map-value msNPAllowDialin TRUE 20
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-LDAP protocol ldap
aaa-server AD-LDAP (inside) host x.x.x.x
server-port 636
ldap-base-dn DC=ra,dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,DC=ra,dc=domain,dc=com
ldap-over-ssl enable
ldap-attribute-map msNPAllowDialin
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ra_tran_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ra_tran_set
crypto dynamic-map outside_dyn_map 1 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 2 match address outside_cryptomap_65535.2
crypto dynamic-map outside_dyn_map 2 set transform-set ra_tran_set ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-MD5 ESP-AES-128-MD5 ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 2 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ra-trust-point
revocation-check crl
enrollment url

http://dc01.ra.domain.com:80/certsrv/mscep/mscep.dll

fqdn ra01.ra.domain.com
subject-name CN=ra01.ra.domain.com,OU=IT,O=xx,C=US,St=xx,L=xx
serial-number
keypair ra-tp-key
match certificate ra_ca_map override ocsp trustpoint ra-trust-point 1 url

http://dc01.ra.domain.com

crl configure
no protocol http
no protocol ldap
crypto ca certificate map ra_ca_map 10
subject-name ne ""
crypto ca certificate chain ra-trust-point
certificate ca xxxxxxxx - took out a lot -

quit
crypto isakmp enable outside
crypto isakmp policy 1
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 inside
ssh timeout 60
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x prefer
group-policy ra_gp internal
group-policy ra_gp attributes
vpn-tunnel-protocol IPSec
default-domain none
address-pools value ra_ip_pool
username xxx password x.x.x.x encrypted privilege 15
tunnel-group ra_tun_group type remote-access
tunnel-group ra_tun_group general-attributes
authorization-server-group AD-LDAP
default-group-policy ra_gp
authorization-required
username-from-certificate use-entire-name
tunnel-group ra_tun_group ipsec-attributes
trust-point ra-trust-point
isakmp ikev1-user-authentication none
tunnel-group-map enable rules
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
tunnel-group-map ra_ca_map 10 ra_tun_group
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0187770f01104fc7faf810085e58d592
: end
ra01#

 

[burtsbees]

Probably should post here...

http://www.tek-tips.com/threadminder.cfm?pid=1598

but from the debugs it can't find a cert that is valid (the one it had used before),so maybe flush the old one out of memory (?)...

I would also double check the full path of the server...

enrollment url

http://dc01.ra.domain.com:80/certsrv/mscep/mscep.dll

fqdn ra01.ra.domain.com

Also, is that supposed to be port 80 or 443?

Burt

 

[dunks59]

Ok tks. But not tracking as the beast says that the cert is valid.

Does that mean s/t else? Anyhow, I dub that the cert map or tunnel group is incorrectly configured as it's not passing the user to the aaa server (ldap) for see that he shld have access.

From the looks of it the cert is check to see if it's in a local ca server, it's not so it gets passed to the trustpoint and gets validated and it's checked against the crls and get validated. The connection then is terminated by the asa.

If I'm completly off please et me know as I'd like to know how this works.

 

[khanss]

Hi,

Were you able to resolve this issue. I am trying to configure the ASA with webvpn and anyconnect with a Microsoft CA server and running into similar issues. What was your resolved solution ?

Much appreciated

 

[dunks59]

Yes. Resolution I ended up resorting to was recreating the trust points. Essentially what I figured was that ASA would get to the point where it wld needed to exchange it's identity with the clients; said ID wld be based on the issued cert from the Microsoft CA. This acting as a identity certificate for the ASA's communication to the clients would allow proper key exchange and tunnel initialization between the ASA on the VPN clients.

Pls note that the above is strictly what I myself formulated with no documents or posts saying wtf was happening. Just my interpretation of the debug outputs. I did not want to use the ASDM to create my configuration and I think that resulted in some muff up on the trustpoint and the certs backing that. (Cisco only posts smart VPN guides being implemented with their ASDM.) Anyhow, you really will not find anything on the net describing the error I was getting but the above is what I formulated and worked for me. Just think with the datum of right after the Cert validation takes place, the tunnel is constructed between the clients and the ASA - for that tunnel the ASA will need a working cert which is issued by the same CA as which the clients got their certs.

Looking deeper in the debug outputs you might also find "Attempt to get Phase 1 ID data failed while constructing ID" - that's the real issue I was having.

Hope that helps and I didn't loose u.

 

[burtsbees]

I guess we could have run that through Cisco Error Decoder or show shows through Output Interpreter"...

Burt