Cisco ASA 5505 Configuration Manual page 1382

Mapping Certificates to IPsec or SSL VPN Connection Profiles
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Mapping Certificates to IPsec or SSL VPN Connection Profiles
When the adaptive security appliance receives an IPsec connection request with client certificate
authentication, it assigns a connection profile to the connection according to policies you configure. That
policy can be to use rules you configure, use the certificate OU field, use the IKE identity (i.e. hostname,
IP address, key ID), the peer IP address, or a default connection profile. For SSL connections, the
adaptive security appliance only uses the rules you configure.
For IPsec or SSL connections using rules, the adaptive security appliance evaluates the attributes of the
certificate against the rules until it finds a match. When it finds a match, it assigns the connection profile
associated with the matched rule to the connection. If it fails to find a match, it assigns the default
connection profile (DefaultRAGroup for IPsec and DefaultWEBVPNGroup for SSL VPN) to the
connection and lets the user choose the connection profile from a drop-down menu displayed on the
portal page (if it is enabled). The outcome of the connection attempt once in this connection profile
depends on whether or not the certificate is valid and the authentication settings of the connection
profile.
A certificate group matching policy defines the method to use for identifying the permission groups of
certificate users. You can use any or all of these methods.
Cisco ASA 5500 Series Configuration Guide using ASDM
64-72
Fallback—Specifies whether to use LOCAL for user authentication if the specified server group
–
fails.
Client Address Assignment—Specifies attributes relevant to assigning client attributes.
DHCP Servers—Specifies the IP address of a DHCP server to use. You can add up to 10 servers,
–
separated by spaces.
– Client Address Pools—Specifies up to 6 predefined address pools. To define an address pool,
go to Configuration > Remote Access VPN > Network Client Access > Address Assignment >
Address Pools.
Select—Opens the Select Address Pools dialog box.
–
Default Group Policy—Specifies attributes relevant to the default group policy.
Group Policy—Selects the default group policy to use for this connection. The default is
–
DfltGrpPolicy.
Manage—Opens the Configure Group Policies dialog box, from which you can add, edit, or
–
delete group policies.
Client Protocols—Selects the protocol or protocols to use for this connection. By default, both
–
IPsec and L2TP over IPsec are selected.
Security Context
Transparent Single
—
•
Multiple
Context System
— —
Chapter 64 General VPN Setup
OL-20339-01