拓撲:
實驗目的:
1 實驗證書驗證遠端客戶。
2 驗證成功後,通過AD屬性映射group-policy。
3 用戶端使用線上申請證書。
本文以WIN 2003 作為域伺服器和證書伺服器,XP作為用戶端。(win2008 做AD和CA,WIN 7做用戶端,和本文基本相同,唯一要注意的是要使用HTTPS)
域和證書伺服器的安裝不在這裡給出。下面是WIN 2003 的設定
用戶端生氣證書:
ASA配置;
hostname asa
domain-name wenlf136.net
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0
clock timezone GMT 8
access-list out extended permit icmp any any
access-list out extended permit udp any host 192.168.10.10 eq domain
access-list out extended permit tcp any host 192.168.10.10 eq www
access-list out extended permit tcp any host 192.168.10.10 eq https
access-group out in interface outside
ldap attribute-map group-to-policy
map-name memberOf IETF-Radius-Class
map-value memberOf CN=group,OU=HROU,DC=wenlf136,DC=net sslgroup
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldapgroup protocol ldap
aaa-server ldapgroup host 192.168.10.10
ldap-base-dn dc=wenlf136, dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator, cn=users, dc=wenlf136, dc=net
server-type microsoft
ldap-attribute-map group-to-policy
crypto ca trustpoint CA
enrollment terminal
fqdn asa.wenlf136.net
subject-name cn=asa.wenlf136.net
keypair sslkey
ssl trust-point CA outside
ssl certificate-authentication interface outside port 443
webvpn
enable outside
group-policy sslgroup internal
group-policy sslgroup attributes
banner value Welcome
tunnel-group DefaultWEB×××Group general-attributes
authorization-server-group ldapgroup
authorization-required
authorization-dn-attributes CN
tunnel-group DefaultWEB×××Group webvpn-attributes
authentication certificate
給ASA 申請證書:
驗證: