今天给大家来点高科技的试验,这个试验从周一做到周四才搞定,周一知道有这个试验,周二徒劳无果,周三基本×××通了,周三的晚上回家时想出解决方案,周四(今天)成功搞定并制作出本博文。很不容易啊!我简单介绍一下这篇博文,内部路由器“CA”首先被配置成为证书服务器,并且提供SCEP在线证书申请服务,它会为所有的anyconnect客户分发证书,然后anyconnect用户使用证书认证拨号到ASA,通过证书内的OU位的不同获取不同的×××策略。本试验比较复杂,感兴趣的朋友可以看看!酷六在线视频:
http://v.ku6.com/show/BiJHrYy8GjzKG1bZ.html

土豆在线视频:
 

http://www.tudou.com/programs/view/Uj_mnsd-RFs/
------------------------------------------------------------------------

 

现任明教教主 ASA8.4 Anyconnect3.0 SCEP在线证书申请与认证_第1张图片




$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$配置详细记录$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
===========================基本网络===========================
hostname asa
domain-name yeslab.net

interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shutdown
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutdown
route Outside 0.0.0.0 0.0.0.0 202.100.1.1

============================时间==============================
clock timezone GMT 8
ntp server 10.1.1.1
===========================产生密码===========================
crypto key generate rsa modulus 1024
===========================申请证书===========================
crypto ca trustpoint CA
enrollment url http://10.1.1.1:80
fqdn asa.yeslab.net
subject-name cn=asa.yeslab.net
===========================使用证书和启用asdm=================
ssl trust-point CA
http server enable 500
http 0.0.0.0 0.0.0.0 Outside
=========================启用基本web***=======================
web***
enable Outside
anyconnect p_w_picpath disk0:/anyconnect-win-3.0.1047-k9.pkg 1
anyconnect profiles group1 disk0:/group1.xml
anyconnect profiles group2 disk0:/group2.xml
anyconnect enable
tunnel-group-list enable
=================启用证书申请用tunnel-group===================
tunnel-group certenroll type remote-access
tunnel-group certenroll web***-attributes
group-alias certenroll enable
=====================配置证书申请group-policy=================
access-list Split standard permit 10.1.1.0 255.255.255.0
ip local pool enroll-pool 111.1.1.100-111.1.1.200

group-policy group1-certenroll internal
group-policy group1-certenroll attributes
***-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
address-pools value enroll-pool
web***
anyconnect profiles value group1 type user
group-policy group2-certenroll internal
group-policy group2-certenroll attributes
***-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
address-pools value enroll-pool
web***
anyconnect profiles value group2 type user
=======配置证书认证的用户名和密码,并关联到group-policy=======
username user1 password cisco
username user1 attributes
***-group-policy group1-certenroll
username user2 password cisco
username user2 attributes
***-group-policy group2-certenroll
=====================配置证书认证的tunnel-group===============
tunnel-group certauth type remote-access
tunnel-group certauth general-attributes
authorization-server-group LOCAL
authorization-required
username-from-certificate OU
tunnel-group certauth web***-attributes
authentication certificate
group-alias certauth enable
=====================配置证书认证的group-policy===============
ip local pool IPPOOL1 121.1.1.100-121.1.1.200
ip local pool IPPOOL2 122.1.1.100-122.1.1.200

group-policy group1*** internal
group-policy group1*** attributes
***-tunnel-protocol ikev1 ikev2 -ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
address-pools value IPPOOL1

group-policy group2*** internal
group-policy group2*** attributes
***-tunnel-protocol ikev1 ikev2 -ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
address-pools value IPPOOL2
===============配置等于ou的用户,并且关联到group-policy========
username group2 password cisco
username group2 attributes
***-group-policy group2***
username group1 password cisco
username group1 attributes
***-group-policy group1***

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Profile备份$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
asa# more disk0:/group1.xml



false
false
false
User
false
Native
true
12
false
true
false
true
true
DisconnectOnSuspend

true
Automatic
SingleLocalLogon
LocalUsersOnly
false
Disable


false

asa.yeslab.net/certenroll
http://10.1.1.1

group1
true


false
20
4

false




asa.yeslab.net
asa.yeslab.net




 

现任明教教主 ASA8.4 Anyconnect3.0 SCEP在线证书申请与认证_第2张图片