Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
Router(config)#
crypto pki enroll RTR-ID
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=webvpn.cisco.com,
OU=TSWEB,O=Cisco Systems,C=US,St=California,L=San Jose
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBjTCB9wIBADAtMRYwFAYDAQQDEw0xNzIuMTYuMTQ2LjE5MRMwEQYJKoZIhvcN
AQkCFgQyODIxMIGfMA0GCSqNSIb3DQEBAQUAA4GNADCBiQKBgQDsdvVNkblT9YkA
0Lthi2fiAeRbyAYRa98kxD5mSHQ3U0gojQ2nvWbI6yqhNP8AZxlC4PNRu0+AyYiY
r44Fst1E3RY0QQVkGjQ7nwlJD7pVi2cFi/SFZssZ/GJmQj6eL8F+YPwU4yzyyEOv
dQtl5Q2aTblOOFe1tVwCdEZqkThKVQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAO
BgNVHQ8BAf8EBAMCBaAwD9YJKoZIhvcNAQEFBQA1gYEAEtnBJDlbu4jReLia6fZH
UlFmFD4Pr0ZhPJsCUSL/CwGYnLjuSWEZkacA2IaG2w6RZWbX/UlEydwYON2I3XiW
z3DIDrygf5YGamkG4DmmO24IHxvkFQd5XKqbIamjWFGwhhLPJxO40MM9CCHSFrYe
dm27yrPawX3aaiHNWn2gatYNBN=
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Router(config)#
Step 2. Configure the Certificate Maps
A certificate map is used to classify incoming VPN client connections to specific WebVPN contexts. This
classification is performed based on matching criteria configured in the certificate map. This configuration
shows how to check for the OU field of the end-user certificate.
classification is performed based on matching criteria configured in the certificate map. This configuration
shows how to check for the OU field of the end-user certificate.
Router#
configure terminal
Router(config)#
crypto pki certificate map sales 10
Router(ca-certificate-map)#
subject-name eq ou = sales
Router(ca-certificate-map)#
!
Router(ca-certificate-map)#
crypto pki certificate map finance 10
Router(ca-certificate-map)#
subject-name eq ou = finance
Router(ca-certificate-map)#
exit
Router(config)#
exit
Note
: When you configure certificate maps, if there are multiple instances of the the same certificate map,
then an OR operation is applied across them. However, if there are multiple rules configured under the same
instance of a certificate map, then an AND operation is applied across them. For example, in this
configuration, any certificate issued by a server that contains the string "Company" and either contains the
string "DIAL" in the subject name or contains "WAN" in the OrganizationUnit component will be accepted:
instance of a certificate map, then an AND operation is applied across them. For example, in this
configuration, any certificate issued by a server that contains the string "Company" and either contains the
string "DIAL" in the subject name or contains "WAN" in the OrganizationUnit component will be accepted:
crypto pki certificate map Group 10M
issuer-name co Company
subject-name co DIAL
crypto pki certificate map Group 20
issuer-name co Company
subject-name co ou=WAN
issuer-name co Company
subject-name co DIAL
crypto pki certificate map Group 20
issuer-name co Company
subject-name co ou=WAN
Step 3. Configure WebVPN Gateway
The WebVPN gateway is where VPN users land their connections. In its simplest configuration, it requires an
IP address and a trustpoint associated with it. The associated trustpoint "RTR-ID" was created in Step 1 under
WebVPN gateway.
IP address and a trustpoint associated with it. The associated trustpoint "RTR-ID" was created in Step 1 under
WebVPN gateway.