Cisco Systems OL-16647-01 Network Router User Manual


  Open as PDF
of 1230
 
35-51
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Mapping Certificates to IPSec or SSL VPN Connection Profiles
Manage—Opens the Configure Group Policies dialog box, from which you can add, edit, or
delete group policies.
Client Protocols—Selects the protocol or protocols to use for this connection. By default, both
IPSec and L2TP over IPSec are selected.
Modes
The following table shows the modes in which this feature is available:
Mapping Certificates to IPSec or SSL VPN Connection Profiles
When the security appliance receives an IPSec or SSL connection request with a client certificate
authentication, it evaluates the attributes of the certificate using a set of rules until it finds a match. When
it finds a match, it assigns the connection profile associated with the matched rule to the connection. If
the security appliance fails to find a match, it assigns the DefaultWEBVPNGroup profile to the
connection and lets the user choose the connection profile from a drop-down menu displayed on the
portal page, if it is enabled.
To configure the evaluation of IPSec or SSL VPN connections against certificate criteria-based rules, use
the IPSec Certificate to Connection Maps > Rules or Certificate to SSL VPN Connections Profile Maps
panel.
This panel lets you create the certificate-based criteria for each IPSec and SSL VPN connection profile,
as follows:
Step 1 Use the table at the top (Certificate to Connection Profile Maps) to do one of the following:
Create a list name, called a “map,” specify the priority of the list, and assign the list to a connection
profile.
ASDM highlights the list after you add it to the table.
Confirm that a list is assigned to the connection profile for which you want to add certificate-based
rules.
ASDM highlights the list after you add it to the table and displays any associated list entries in the
table at the bottom of the pane.
Step 2 Use the table at the bottom (Mapping Criteria) to view, add, change or delete entries to the selected list.
Each entry in the list consists of one certificate-based rule. All of the rules in the mapping criteria list
need to match the contents of the certificate for the security appliance to choose the associated map
index. To assign a connection if one criterion or another matches, create one list for each matching
criterion.
To understand the fields, see the following sections:
Add/Edit Certificate Matching Rule
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
——
 previous next