Today i was researching if there are any ways to block users have Valid certificates from making VPN connections to a Router. I found that this can be achieved using an IOS feature called Certificate-based ACL’s.( CALC’s ).
Using a CALC we can define a filtering condition for the user certificates , such that only users having certificates which match the filter criteria are permitted to pass through Certificate Authentication and VPN setup. The other users do not even go through the certificate checking process, they are immediately denied VPN access.
SYNTAX
(conf-t)#crypto pki certificate map <certificate-map-name> <entry-number>
Certificate-map-name : Represents the name of the CALC
After creating the CALC, we can specify match conditions or ACE’s.
# <field-name> <match-criteria> <match-value>
field-name : Represents which field in the certificate will be used for the filter. There are many options here:
- alt-subject-name
- expires-on
- issuer-name
- name
- serial-number
- subject-name
- unstructured-subject-name
- valid-start
match-criteria : This will indicate “how” the match will take place. This tells how the value indicated in the field- name will be used. The various possibilities are :
- eq , ne , co ( contains ) , nc ( does not contain ) , lt ( less-than ), ge ( greater then or equal to )
match-value : Value which will be used to match against the field-name using the criteria mentioned in match-criteria.
EXAMPLE
#crypto pki certificate map Certs_TB_blocked 10
#subject-name co Marketing
The above CALC will only permit dudes having a “marketing” certificate to create VPN connections to the Router.
In order to apply this CALC, we need to apply this to the trustpoint definition in our Central Router. When the Central router receives a certificate from a user, it checks with it’s trustpoint if the certificate is valid or not. At this junction, the CALC can be applied to identify which certificates should be even checked ( ex : from marketing ) and which should be shown the door ( ex : other deparments who are not eligible to make VPN connections ).
#crypto pki trustpoint Tacack
#match certificate Certs_TB_blocked
#enrollment-url… ( bla bla bla… )
Using this, a powerful certificate filtering feature can be enforced on a Router to limit or police the VPN connections from various users in a company.
