Clientless SSL VPN on Cisco IOS Router

Clientless SSL VPN on Cisco IOS Router

Clientless SSL VPN allows a user to securely access resources remotely using a SSL-enabled web browser. This is a step-by-step guide to setup Clientless SSL VPN (WebVPN) on Cisco IOS router. Each SSL VPN Gateway requires a license to serve SSL Clients. Cisco provides a two-user complimentary license on the supported routers. If more users are required to be served by SSL Gateway, licenses need to be purchased.

The Clients' web-browsers (ex- Mozilla Firefox, IE8, etc.) must support SSL. Latest SSL protocols supported are SSLv3 and TLSv1.0.

Configuration steps

Step 1: Setting up User Authentication

Clients must authenticate themselves to either local database or an authentication server, like RADIUS or TACACS+, on the SSL Gateway. This setup will use RADIUS Server. The Cisco router is configured for AAA as follows:

Setting up user authentication

interface Loopback 0
 ip address 1.1.1.1 255.255.255.255
!
aaa new-model
aaa authentication login SSL_VPN group RADIUS local
!
radius-server 192.168.1.9

radius-server key sslvpn123 ! The router authenticates to the RADIUS Server using this shared-secret key

!
ip radius source-interface Loopback 0    ! The router will use the Loopback 0 interface to source its packets for the RADIUS Server

Step 2: Configure NTP on Cisco router

This step is highly recommended that the Cisco IOS router be synchronized with the CA server before obtaining a digital certificate. The ntp authenticate and ntp authentication-key commands are optional for authentication with NTP server.

Configuring NTP on Cisco router

ntp server 192.168.1.9
!

Step 3: Enrolling Digital Certificates

Since Cisco IOS router does not have any in-built certificate that the HTTP secure-server can use during SSL Handshake negotiation, this step involves obtaining a certificate. There are 2 ways to obtain a certificate-

The first method is that the Cisco IOS router generates its own certificate and signs it as being valid. This is also called self-signed certificate. This type of certificate has limited usage, because if the router reboots, the certificate is lost and the router has to generate a new certificate. This also causes the Client to accept this new certificate as being valid. Persistent self-signed certificate survive router reloads as it is stored in NVRAM.

The second method involves obtaining a certificate from a CA Server (Certificate Authority). A Certificate Authority is a trusted entity which issues digital certificates for use by other parties. Examples of commercial CAs are Verisign, Entrust, etc. Microsoft Server 2003 can also act as a CA Server.

The Cisco IOS router obtains a digital certificate with a manual enrollment (copy and paste) or an automatic enrollment method using SCEP (Simple Certificate Enrollment Protocol) protocol. We will use automatic enrollment with Microsoft Windows Server 2003 using SCEP. SCEP must be running on Server 2003. Obtain cepsetup.exe file from Microsoft's website and execute it on Server 2003. Cisco IOS supports SCEP.

To obtain a certificate from the CA Server, the following sub-tasks must be completed.

Step 3.1: Generate RSA keys

RSA keys are generated in pairs- one Public RSA key and one Private RSA key. There are two types of RSA key pairs- special-usage keys and general-purpose keys (default).

The special-usage keys generate two key pairs- one pair will be used for any IKE policy that specifies RSA-signature as authentication method. The second pair will be used for any IKE policy that specifies RSA-encrypted keys as the authentication method..

The general-purpose keys generate only one key pair. This pair will be used for any IKE policy that specify either RSA-signature or RSA-encrypted keys as the authentication method.

Before an RSA key pair can be generated, the hostname and the domain-name must be configured on the router. Then crypto key generate rsa command can be used to generate the RSA key pair.

Generate RSA key pair

hostname SSLGateway                ! configuring the hostname
ip domain-name amit.com            ! configuring the domain-name
!
crypto key generate rsa general-keys modulus 1024 label FIRST_KEY exportable         ! generating a general-purpose key pair of 1024 bits labelled as FIRST_KEY. For SSL VPN, the minimum key strength should be 512 bits.

When the Cisco router sends a request to the CA Server for a certificate, it will also include the RSA Public key generated using this command.

It is important to store the configuration to NVRAM at this stage, because the RSA keys can be lost if the router reloads. Hence, we perform copy run start command at this stage.

The show crypto key mypubkey rsa command shows the Public keys associated with the Cisco router.

show crypto key mypubkey rsa

SSLGateway# show crypto key mypubkey rsa
% Key pair was generated at: 23:49:01 AEST Jun 6 2010
Key name: FIRST_KEY
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C00A6A
  B19FA83D 56519E74 2FD068FA 32FB18DA 3C914CC8 492256C8 C3600B05 9EA1C5D3
  35D9078B 10F57B43 20EAF057 2A24EF84 3B4C3ED5 0121CBE6 A13A3FFE 4FCE241C
  5DC53353 27F9C114 DE4A046F 0E90E2C5 542735CC 295A919F 941EA9F3 965195ED
  7CB27600 46DA1A1E D2D02BFD A79E81D8 9C060F6D 34908A03 5D2E1362 8F020301 0001
% Key pair was generated at: 23:49:02 AEST Jun 6 2010
Key name: FIRST_KEY.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B60A6F F86AED05
  5D06041B EC9FA552 F5B93EC3 072ECCEC 51099AED 512AF9DC F149E5A1 A88CFBB7
  A53554D8 A8AB9014 47B0927C 2ABFFDAC D8352A72 97DA61A9 0948B0D7 4B252DE6
  29691745 CEE02D1A A2FA1311 ADDBCA24 F4FA5AA3 9C88B555 1F020301 0001

Step 3.2: Configuring a Trustpoint

A trustpoint is a CA server who we trust to obtain a digital certificate. The crypto pki trustpoint command enables us to configure all necessary certificate parameters. This is used because a Cisco router can enroll with multiple CA servers using different RSA key pairs.

We will use the automatic enrollment method with Windows Server 2003 using SCEP. The manual enrollment is done using enrollment terminal command. The self-signed certificate can be generated using enrollment selfsigned command.

Creating a trustpoint

crypto pki trustpoint WIN2003 ! Windows Server 2003 (192.168.1.9). This trustpoint name is user-defined and has local significance.

 enrollment url http://192.168.1.9/certsrv/mscep/mscep.dll
 enrollment mode ra              ! Required as Server 2003 provides Registration Authority (RA) when SCEP is installed
 rsakeypair FIRST_KEY
 revocation-check none
!

Step 3.3: Obtaining a CA Certificate

This step is to request a CA certificate before requesting an Identity Certificate. The CA certificate contains the RSA Public key of the CA Server, followed by the Digital Signature of the CA Server.

The crypto pki authenticate command is used to import the CA certificate.

importing CA certificate

SSLGateway(config)# crypto pki authenticate WIN2003
Certificate has the following attributes:
       Fingerprint MD5: 7D39EB83 CE48ECF4 91E5E5F7 A0022760
      Fingerprint SHA1: D27CD5D2 865FC153 26CA66A2 197AABF6 922510BF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
SSLGateway(config)#

As seen above, the router prompts us whether to accept the CA certificate. Once agreed, all the certificates from this CA Server will be accepted by this router.

Step 3.4: Obtaining an Identity Certificate

This step is to request an Identity Certificate for the router itself from the trusted CA server in the previous step. The crypto pki enroll command causes the router to generate an identity certificate request and send to the CA server.

While obtaining the Identity Certificate, the router prompts for a "password". This password should match to the one-time password generated when opening the url http://192.168.1.9/certsrv/mscep.

Obtaining an Identity Certificate for the router

SSLGateway(config)# crypto pki enroll WIN2003
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: SSLGateway.amit.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate WIN2003 verbose' commandwill show the fingerprint.
SSLGateway(config)#
Jun  7 09:52:19.195: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 0E52173B 39E3D0E1 78F2D230 A783FB82
Jun  7 09:52:19.195: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: A9E448B5 D73EEA74 9B1CACD3 895B811A 5ABC617F
SSLGateway(config)#
SSLGateway(config)#
Jun  7 09:53:31.239: %PKI-6-CERTRET: Certificate received from Certificate Authority
SSLGateway(config)#
!-- The show crypto pki certificates command shows the certificates (CA and Identity) available on the router.
SSLGateway# show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 0x610DA5F5000000000007
  Certificate Usage: General Purpose
  Issuer:
    cn=WIN2003
    dc=amit
    dc=com
  Subject:
    Name: SSLGateway.amit.com
    hostname=SSLGateway.amit.com
  CRL Distribution Points:
    ldap:///CN=WIN2003,CN=amit-ed0d48583a,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=amit,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    http://amit-ed0d48583a.amit.com/CertEnroll/WIN2003.crl
  Validity Date:
    start date: 03:42:50 AEST Jun 4 2010
    end   date: 03:52:50 AEST Jun 4 2011
  Associated Trustpoints: WIN2003
CA Certificate
  Status: Available
  Certificate Serial Number: 0x6462CFFA77B593A74DB4E13D530CBC02
  Certificate Usage: Signature
  Issuer:
    cn=WIN2003
    dc=amit
    dc=com
  Subject:
    cn=WIN2003
    dc=amit
    dc=com
  CRL Distribution Points:
    ldap:///CN=WIN2003,CN=amit-ed0d48583a,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=amit,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    http://amit-ed0d48583a.amit.com/CertEnroll/WIN2003.crl
  Validity Date:
    start date: 03:31:18 AEST May 21 2010
    end   date: 03:40:13 AEST May 21 2020
  Associated Trustpoints: WIN2003

Step 4: Setting up an SSL VPN Gateway

In SSL VPN, the Cisco router acts as a proxy between Client with SSL-enabled web browser and the resources on the internal network. The VPN sessions terminate at the SSL VPN Gateway's public IP address. All VPN users point their web-browser to this public IP address. In IOS, this can be configured using webvpn gateway <Gateway_name> command.

SSL VPN Gateway

webvpn gateway SSLVPN_Gateway
 ip address 172.27.1.2 port 443
 http-redirect port 80
 ssl trustpoint WIN2003
 inservice
!

Gateway: The Gateway_Name has only local significance and is used to define an instance that is mapped to the SSL VPN context to terminate user sessions.

IP Address: This is the public IP address at which all VPN sessions terminate. The port number is 443 for HTTPS.

Trustpoint: The certificate associated with this trustpoint will be used during negotiation with VPN Clients.

HTTP Port Redirect: This is used if a VPN Client initiates an HTTP connection rather than HTTPS connection. The router will automatically redirect HTTP connection port 80 to HTTPS connection port 443.

inservice: This enables the SSL VPN Gateway definition.

Step 5: Setting up an SSL VPN Context

The actual user sessions are established to the SSL VPN context using the SSL VPN Gateway definition configured in Step 4. It includes all the policies that can be applied to a user or a group of users. It also includes authentication that performs the actual user authentication. It is configured using webvpn context <Name> command.

SSL VPN Context

webvpn context SSLVPN_Context
 aaa authentication list SSL_VPN
 gateway SSLVPN_Gateway
 max-users 100
 inservice
 login-message "Welcome to Amit.com"
 default-group-policy SSLVPN_DefaultPolicy
!

Gateway: This maps to the previously configured (Step 4) SSL VPN Gateway.

Authentication list: This defines the authentication method for VPN Clients.

Maximum Number of Users: This is used to limit the number of users that can use the SSL VPN service.

inservice: This enables the SSL VPN Context definition.

Step 6: Configuring SSL VPN Group Policies

A group policy is a set of common parameters that an SSL VPN user inherits during tunnel negotiations. These parameters include ACL, session timeout, banner, port-forwarding, etc. Only one group policy can be applied to a user, also known as default-group-policy.

Remote users can use SSL VPNs to browse their internal websites and Outlook Web Access. These are also called Bookmarks. This can be configured using the url-list command under webvpn context. The actual URL is identified using url-text command.

After defining the URL-List, the next step is to map these definitions to appropriate group policy.

Configuring SSL VPN Group Policy

webvpn context SSLVPN_Context
 url-list "ClientlessVPN"
   heading "ClientlessVPN"
   url-text "WebServer" url-value "http://192.168.1.9"
 policy group SSLVPN_DefaultPolicy
   url-list "ClientlessVPN"
 default-group-policy SSLVPN_DefaultPolicy
!

When the user first initiates an HTTPS connection to the router using https://172.27.1.2 from his web-browser, he will receive the following page.

This is due to the fact that the Mozilla Firefox does not have Windows Server 2003 as a trusted CA Server. We can accept this Certificate by clicking on I Understand the Risks. This takes us straight to the SSL VPN service page prompting for a username and password.

Once successfully logged in, the user is presented with a custom page belonging to a particular group-policy. The user can now access the internal website.

The following output shows a successful webvpn session with the user abhagat@amit.com

SSLGateway# show webvpn session user abhagat@amit.com context all
WebVPN user name = abhagat@amit.com ; IP address = 10.1.1.10 ; context = SSLVPN_Context
    No of connections: 2
    Created 00:02:43, Last-used 00:01:58
    HTTP Authentciation:
    -----------------------------------------------------------------
      Server                         Auth    Username       Passwd
    -----------------------------------------------------------------
    192.168.1.9                      NTLM     abhagat        *****
    Client Port: 54701, Server IP Addr: 192.168.1.9, Server Port: 80
    Client Port: 54702, Server IP Addr: 192.168.1.9, Server Port: 80
    User Policy Parameters
      Group name = SSLVPN_DefaultPolicy
    Group Policy Parameters
      url list name = "ClientlessVPN"
      idle timeout = 2100 sec
      session timeout = Disabled
      citrix disabled
      dpd client timeout = 300 sec
      dpd gateway timeout = 300 sec
      keep sslvpn client installed = disabled
      rekey interval = 3600 sec
      rekey method =
      lease duration = 43200 sec