拓扑:
实验目的:
1 实验证书验证远程客户。
2 验证成功后,通过AD属性映射group-policy。
3 客户端使用在线申请证书。
本文以WIN 2003 作为域服务器和证书服务器,XP作为客户端。(win2008 做AD和CA,WIN 7做客户端,和本文基本相同,唯一要注意的是要使用HTTPS)
域和证书服务器的安装不在这里给出。下面是WIN 2003 的设置
客户端生气证书:
ASA配置;
hostname asa
domain-name wenlf136.net
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0
clock timezone GMT 8
access-list out extended permit icmp any any
access-list out extended permit udp any host 192.168.10.10 eq domain
access-list out extended permit tcp any host 192.168.10.10 eq www
access-list out extended permit tcp any host 192.168.10.10 eq https
access-group out in interface outside
ldap attribute-map group-to-policy
map-name memberOf IETF-Radius-Class
map-value memberOf CN=group,OU=HROU,DC=wenlf136,DC=net sslgroup
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldapgroup protocol ldap
aaa-server ldapgroup host 192.168.10.10
ldap-base-dn dc=wenlf136, dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator, cn=users, dc=wenlf136, dc=net
server-type microsoft
ldap-attribute-map group-to-policy
crypto ca trustpoint CA
enrollment terminal
fqdn asa.wenlf136.net
subject-name cn=asa.wenlf136.net
keypair sslkey
ssl trust-point CA outside
ssl certificate-authentication interface outside port 443
webvpn
enable outside
group-policy sslgroup internal
group-policy sslgroup attributes
banner value Welcome
tunnel-group DefaultWEB×××Group general-attributes
authorization-server-group ldapgroup
authorization-required
authorization-dn-attributes CN
tunnel-group DefaultWEB×××Group webvpn-attributes
authentication certificate
给ASA 申请证书:
验证: