Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.

com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

Knowledge Base
Home

Clientless SSL VPN on Cisco IOS Router

Wiki
ARP
Clientless SSL VPN allows a user to securely access resources remotely using a SSL-enabled web browser. This is a step-by-step guide to setup Clientless SSL VPN
BGP
(WebVPN) on Cisco IOS router. Each SSL VPN Gateway requires a license to serve SSL Clients. Cisco provides a two-user complimentary license on the supported routers. If
CEF
more users are required to be served by SSL Gateway, licenses need to be purchased.
Data Center
GPON The Clients' web-browsers (ex- Mozilla Firefox, IE8, etc.) must support SSL. Latest SSL protocols supported are SSLv3 and TLSv1.0.
GRE
ICMP
IP Multicasting
IPv6
IS-IS
Juniper-JUNOS
L2VPN
LAN
Link Aggregation
LTE Notes
MPLS
NAT
OAM
OSPF
PBB Configuration steps
PPP
QoS Step 1: Setting up User Authentication
Security
Clients must authenticate themselves to either local database or an authentication server, like RADIUS or TACACS+, on the SSL Gateway. This setup will use RADIUS
Traffic Engineering
Server. The Cisco router is configured for AAA as follows:
VPLS
VPN

Setting up user authentication

Attachments
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
!
aaa new-model
aaa authentication login SSL_VPN group RADIUS local
!
radius-server 192.168.1.9
radius-server key sslvpn123 ! The router authenticates to the RADIUS Server using this shared-secret key

1 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

!
ip radius source-interface Loopback 0 ! The router will use the Loopback 0 interface to source its packets for the RADIUS Server

Step 2: Configure NTP on Cisco router

This step is highly recommended that the Cisco IOS router be synchronized with the CA server before obtaining a digital certificate. The ntp authenticate and ntp
authentication-key commands are optional for authentication with NTP server.

Configuring NTP on Cisco router

ntp server 192.168.1.9
!

Step 3: Enrolling Digital Certificates

Since Cisco IOS router does not have any in-built certificate that the HTTP secure-server can use during SSL Handshake negotiation, this step involves obtaining a
certificate. There are 2 ways to obtain a certificate-

The first method is that the Cisco IOS router generates its own certificate and signs it as being valid. This is also called self-signed certificate. This type of certificate has
limited usage, because if the router reboots, the certificate is lost and the router has to generate a new certificate. This also causes the Client to accept this new certificate
as being valid. Persistent self-signed certificate survive router reloads as it is stored in NVRAM.

The second method involves obtaining a certificate from a CA Server (Certificate Authority). A Certificate Authority is a trusted entity which issues digital certificates for use
by other parties. Examples of commercial CAs are Verisign, Entrust, etc. Microsoft Server 2003 can also act as a CA Server.

The Cisco IOS router obtains a digital certificate with a manual enrollment (copy and paste) or an automatic enrollment method using SCEP (Simple Certificate
Enrollment Protocol) protocol. We will use automatic enrollment with Microsoft Windows Server 2003 using SCEP. SCEP must be running on Server 2003. Obtain
cepsetup.exe file from Microsoft's website and execute it on Server 2003. Cisco IOS supports SCEP.

To obtain a certificate from the CA Server, the following sub-tasks must be completed.

Step 3.1: Generate RSA keys

RSA keys are generated in pairs- one Public RSA key and one Private RSA key. There are two types of RSA key pairs- special-usage keys and general-purpose keys
(default).

The special-usage keys generate two key pairs- one pair will be used for any IKE policy that specifies RSA-signature as authentication method. The second pair will be used
for any IKE policy that specifies RSA-encrypted keys as the authentication method..

The general-purpose keys generate only one key pair. This pair will be used for any IKE policy that specify either RSA-signature or RSA-encrypted keys as the
authentication method.

Before an RSA key pair can be generated, the hostname and the domain-name must be configured on the router. Then crypto key generate rsa command can be used
to generate the RSA key pair.

2 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

Generate RSA key pair

hostname SSLGateway ! configuring the hostname
ip domain-name amit.com ! configuring the domain-name
!
crypto key generate rsa general-keys modulus 1024 label FIRST_KEY exportable ! generating a general-purpose key pair of 1024 bits labelled as FIRST_KEY.
For SSL VPN, the minimum key strength should be 512 bits.

When the Cisco router sends a request to the CA Server for a certificate, it will also include the RSA Public key generated using this command.

It is important to store the configuration to NVRAM at this stage, because the RSA keys can be lost if the router reloads. Hence, we perform copy run start command at
this stage.

The show crypto key mypubkey rsa command shows the Public keys associated with the Cisco router.

show crypto key mypubkey rsa

SSLGateway# show crypto key mypubkey rsa
% Key pair was generated at: 23:49:01 AEST Jun 6 2010
Key name: FIRST_KEY
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C00A6A
B19FA83D 56519E74 2FD068FA 32FB18DA 3C914CC8 492256C8 C3600B05 9EA1C5D3
35D9078B 10F57B43 20EAF057 2A24EF84 3B4C3ED5 0121CBE6 A13A3FFE 4FCE241C
5DC53353 27F9C114 DE4A046F 0E90E2C5 542735CC 295A919F 941EA9F3 965195ED
7CB27600 46DA1A1E D2D02BFD A79E81D8 9C060F6D 34908A03 5D2E1362 8F020301 0001
% Key pair was generated at: 23:49:02 AEST Jun 6 2010
Key name: FIRST_KEY.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B60A6F F86AED05
5D06041B EC9FA552 F5B93EC3 072ECCEC 51099AED 512AF9DC F149E5A1 A88CFBB7
A53554D8 A8AB9014 47B0927C 2ABFFDAC D8352A72 97DA61A9 0948B0D7 4B252DE6
29691745 CEE02D1A A2FA1311 ADDBCA24 F4FA5AA3 9C88B555 1F020301 0001

Step 3.2: Configuring a Trustpoint

A trustpoint is a CA server who we trust to obtain a digital certificate. The crypto pki trustpoint command enables us to configure all necessary certificate parameters.
This is used because a Cisco router can enroll with multiple CA servers using different RSA key pairs.

We will use the automatic enrollment method with Windows Server 2003 using SCEP. The manual enrollment is done using enrollment terminal command. The
self-signed certificate can be generated using enrollment selfsigned command.

3 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

Creating a trustpoint
crypto pki trustpoint WIN2003 ! Windows Server 2003 (192.168.1.9). This trustpoint name is user-defined and has local significance.
enrollment url http://192.168.1.9/certsrv/mscep/mscep.dll
enrollment mode ra ! Required as Server 2003 provides Registration Authority (RA) when SCEP is installed
rsakeypair FIRST_KEY
revocation-check none
!

Step 3.3: Obtaining a CA Certificate

This step is to request a CA certificate before requesting an Identity Certificate. The CA certificate contains the RSA Public key of the CA Server, followed by the Digital
Signature of the CA Server.

The crypto pki authenticate command is used to import the CA certificate.

importing CA certificate
SSLGateway(config)# crypto pki authenticate WIN2003
Certificate has the following attributes:
Fingerprint MD5: 7D39EB83 CE48ECF4 91E5E5F7 A0022760
Fingerprint SHA1: D27CD5D2 865FC153 26CA66A2 197AABF6 922510BF

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
SSLGateway(config)#

As seen above, the router prompts us whether to accept the CA certificate. Once agreed, all the certificates from this CA Server will be accepted by this router.

Step 3.4: Obtaining an Identity Certificate

This step is to request an Identity Certificate for the router itself from the trusted CA server in the previous step. The crypto pki enroll command causes the router to
generate an identity certificate request and send to the CA server.

While obtaining the Identity Certificate, the router prompts for a "password". This password should match to the one-time password generated when opening the url
http://192.168.1.9/certsrv/mscep.

Obtaining an Identity Certificate for the router

SSLGateway(config)# crypto pki enroll WIN2003
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:

4 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

Re-enter password:

% The subject name in the certificate will include: SSLGateway.amit.com

% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate WIN2003 verbose' commandwill show the fingerprint.

SSLGateway(config)#
Jun 7 09:52:19.195: CRYPTO_PKI: Certificate Request Fingerprint MD5: 0E52173B 39E3D0E1 78F2D230 A783FB82
Jun 7 09:52:19.195: CRYPTO_PKI: Certificate Request Fingerprint SHA1: A9E448B5 D73EEA74 9B1CACD3 895B811A 5ABC617F
SSLGateway(config)#
SSLGateway(config)#
Jun 7 09:53:31.239: %PKI-6-CERTRET: Certificate received from Certificate Authority
SSLGateway(config)#

!-- The show crypto pki certificates command shows the certificates (CA and Identity) available on the router.

SSLGateway# show crypto pki certificates

Certificate
Status: Available
Certificate Serial Number: 0x610DA5F5000000000007
Certificate Usage: General Purpose
Issuer:
cn=WIN2003
dc=amit
dc=com
Subject:
Name: SSLGateway.amit.com
hostname=SSLGateway.amit.com
CRL Distribution Points:
ldap:///CN=WIN2003,CN=amit-
ed0d48583a,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=amit,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://amit-ed0d48583a.amit.com/CertEnroll/WIN2003.crl
Validity Date:
start date: 03:42:50 AEST Jun 4 2010
end date: 03:52:50 AEST Jun 4 2011
Associated Trustpoints: WIN2003

CA Certificate
Status: Available
Certificate Serial Number: 0x6462CFFA77B593A74DB4E13D530CBC02
Certificate Usage: Signature
Issuer:
cn=WIN2003
dc=amit
dc=com
Subject:
cn=WIN2003
dc=amit
dc=com
CRL Distribution Points:
ldap:///CN=WIN2003,CN=amit-
ed0d48583a,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=amit,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

5 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

http://amit-ed0d48583a.amit.com/CertEnroll/WIN2003.crl
Validity Date:
start date: 03:31:18 AEST May 21 2010
end date: 03:40:13 AEST May 21 2020
Associated Trustpoints: WIN2003

Step 4: Setting up an SSL VPN Gateway

In SSL VPN, the Cisco router acts as a proxy between Client with SSL-enabled web browser and the resources on the internal network. The VPN sessions terminate at the
SSL VPN Gateway's public IP address. All VPN users point their web-browser to this public IP address. In IOS, this can be configured using webvpn gateway
<Gateway_name> command.

SSL VPN Gateway

webvpn gateway SSLVPN_Gateway
ip address 172.27.1.2 port 443
http-redirect port 80
ssl trustpoint WIN2003
inservice
!

Gateway: The Gateway_Name has only local significance and is used to define an instance that is mapped to the SSL VPN context to terminate user sessions.

IP Address: This is the public IP address at which all VPN sessions terminate. The port number is 443 for HTTPS.

Trustpoint: The certificate associated with this trustpoint will be used during negotiation with VPN Clients.

HTTP Port Redirect: This is used if a VPN Client initiates an HTTP connection rather than HTTPS connection. The router will automatically redirect HTTP connection port 80
to HTTPS connection port 443.

inservice: This enables the SSL VPN Gateway definition.

Step 5: Setting up an SSL VPN Context

The actual user sessions are established to the SSL VPN context using the SSL VPN Gateway definition configured in Step 4. It includes all the policies that can be applied to
a user or a group of users. It also includes authentication that performs the actual user authentication. It is configured using webvpn context <Name> command.

SSL VPN Context

6 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

webvpn context SSLVPN_Context

aaa authentication list SSL_VPN
gateway SSLVPN_Gateway
max-users 100
inservice
login-message "Welcome to Amit.com"
default-group-policy SSLVPN_DefaultPolicy
!

Gateway: This maps to the previously configured (Step 4) SSL VPN Gateway.

Authentication list: This defines the authentication method for VPN Clients.

Maximum Number of Users: This is used to limit the number of users that can use the SSL VPN service.

inservice: This enables the SSL VPN Context definition.

Step 6: Configuring SSL VPN Group Policies

A group policy is a set of common parameters that an SSL VPN user inherits during tunnel negotiations. These parameters include ACL, session timeout, banner,
port-forwarding, etc. Only one group policy can be applied to a user, also known as default-group-policy.

Remote users can use SSL VPNs to browse their internal websites and Outlook Web Access. These are also called Bookmarks. This can be configured using the url-list
command under webvpn context. The actual URL is identified using url-text command.

After defining the URL-List, the next step is to map these definitions to appropriate group policy.

Configuring SSL VPN Group Policy

webvpn context SSLVPN_Context
url-list "ClientlessVPN"
heading "ClientlessVPN"
url-text "WebServer" url-value "http://192.168.1.9"
policy group SSLVPN_DefaultPolicy
url-list "ClientlessVPN"
default-group-policy SSLVPN_DefaultPolicy
!

When the user first initiates an HTTPS connection to the router using https://172.27.1.2 from his web-browser, he will receive the following page.

7 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

This is due to the fact that the Mozilla Firefox does not have Windows Server 2003 as a trusted CA Server. We can accept this Certificate by clicking on I Understand the
Risks. This takes us straight to the SSL VPN service page prompting for a username and password.

Once successfully logged in, the user is presented with a custom page belonging to a particular group-policy. The user can now access the internal website.

8 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

The following output shows a successful webvpn session with the user [email protected]

SSLGateway# show webvpn session user [email protected] context all

WebVPN user name = [email protected] ; IP address = 10.1.1.10 ; context = SSLVPN_Context
No of connections: 2
Created 00:02:43, Last-used 00:01:58

HTTP Authentciation:
-----------------------------------------------------------------
Server Auth Username Passwd
-----------------------------------------------------------------
192.168.1.9 NTLM abhagat *****

Client Port: 54701, Server IP Addr: 192.168.1.9, Server Port: 80

Client Port: 54702, Server IP Addr: 192.168.1.9, Server Port: 80
User Policy Parameters
Group name = SSLVPN_DefaultPolicy
Group Policy Parameters
url list name = "ClientlessVPN"
idle timeout = 2100 sec
session timeout = Disabled
citrix disabled
dpd client timeout = 300 sec
dpd gateway timeout = 300 sec
keep sslvpn client installed = disabled
rekey interval = 3600 sec
rekey method =
lease duration = 43200 sec

9 of 10 12/17/2012 3:38 PM
Clientless SSL VPN on Cisco IOS Router - Knowledge Base https://sites.google.com/site/amitsciscozone/home/security/clientless-ssl-vpn-on-cisco-ios-router-with-sdm

Comments

You have no permission to add comments.

amit bhagat 11:56 PM Jun 4, 2010 • Comments off

The Cisco IOS is C3745-ADVENTERPRISEK9-M,Version 12.4(15)T9

Sign in | Report Abuse | Print Page | Remove Access | Powered By Google Sites

10 of 10 12/17/2012 3:38 PM