1-17
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring Certificate Group Matching for IKEv1
Note Certificate group matching applies to IKEv1 and IKEv2 LAN-to-LAN connections only. IKEv2 remote
access connections support the pull-down group selection configured in the webvpn-attributes of the
tunnel-group and webvpn configuration mode for certificate-group-map, and so on.
To match users to tunnel groups based on these fields of the certificate, you must first create rules that
define a matching criteria, and then associate each rule with the desired tunnel group.
To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use
the tunnel-group command.
You must also configure a certificate group matching policy, specifying to match the group from the
rules, or from the organizational unit (OU) field, or to use a default group for all certificate users. You
can use any or all of these methods.
The following sections provide more information:
• Creating a Certificate Group Matching Rule and Policy, page 1-17
• Using the Tunnel-group-map default-group Command, page 1-18
Creating a Certificate Group Matching Rule and Policy
To configure the policy and rules by which certificate-based ISAKMP sessions map to tunnel groups,
and to associate the certificate map entries with tunnel groups, enter the tunnel-group-map command
in either single or multiple context mode.
The syntax follows:
tunnel-group-map enable {rules | ou | ike-id | peer ip}
tunnel-group-map [rule-index] enable policy
Be aware of the following:
• You can invoke this command multiple times as long as each invocation is unique and you do not
reference a map index more than once.
• Rules cannot be longer than 255 characters.
policy Specifies the policy for deriving the tunnel group name from the certificate.
Policy can be one of the following:
ike-id—Indicates that if a tunnel group is not determined based on a rule
lookup or taken from the OU, then the certificate-based ISAKMP sessions are
mapped to a tunnel group based on the content of the phase1 ISAKMP ID.
ou—Indicates that if a tunnel-group is not determined based on a rule lookup,
then use the value of the OU in the subject distinguished name (DN).
peer-ip—Indicates that if a tunnel group is not determined based on a rule
lookup or taken from the OU or ike-id methods, then use the peer IP address.
rules—Indicates that the certificate-based ISAKMP sessions are mapped to a
tunnel group based on the certificate map associations configured by this
command.
rule index (Optional) Refers to parameters specified by the crypto ca certificate map
command. The values are 1 to 65535.
To Next Page
Loading...
Need help?
General