Home > Networking, Security > Map certificates to Tunnel Groups on Cisco ASA FWs

Map certificates to Tunnel Groups on Cisco ASA FWs

May 9th, 2013

Yesterday I noticed some strange messages in my syslog

Turned out that on ASA Firewalls that have more than 1 Connection Profiles that use certificate authentication, you will need to map the certificates to the Tunnel Groups

Mapping the certificates to specific tunnel-groups can be done in the CLI or in the ASDM. Since the trend or push now by Cisco is mostly using the ASDM, you might as well get used to it. In all honesty, it’s extremely functional and once you get used to it very easy to navigate.


Then pick a name for the rule and select the Connection Profile


For security reasons, I would always set anything that has to do with the Default tunnels, policies, maps, etc. to disconnect in a separate DAP policy. That way if a connection attempt is made that you have not explicitly defined or allowed, it will be terminated. For this reason we will chose the “New” button and name our map something intuitive that will allow us to immediately associate it to the tunnel we are mapping it to! For instance if your tunnel is called “marketing_tunnel” and your policy for that tunnel is “marketing_policy” – name your map “marketing_certmap”. Trust me; this makes life much easier on a busy ASA when you are troubleshooting. Also create your certificate maps in the order of importance that will make the “Priority” relative by default. Chose the connection profile (tunnel-group) you wish to map this rule to and click “Ok”.

Next we need to define the criteria (certificate values) that will be used for the certificate map. As of 8.4, there are four sections to the criterion: Field, Component, Operator, and Value.


In the above example we are using criteria that would specify the name and domain of the person or device trying to authenticate. For this device it would be something like testserver.mycompany.com or testserver@mycompany.com. All of this information must be present on the certificate it was issued or it won’t be passed to the ASA during the authentication process.

In the example above, we are specifying that the certificate issuer is being used to map the connection to a specific tunnel group. You may have more than one CA in your organization, each one used for different purposes. For Example: A CA that is used for laptops authenticating to the wireless infrastructure, A CA that is used for the users to authenticate to the VPN, and a CA that is used for your mobile devices to authenticate wireless and VPN. In all of these circumstances, because the CN for each CA will be different – you can assign each type of device to a different tunnel-group, and apply different policies or restrictions to those tunnel groups.

Categories: Networking, Security