Configuring certificate group matching for ikev1 – Cisco ASA 5505 User Manual

64-17

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring Certificate Group Matching for IKEv1

For example:

hostname(config)# crypto isakmp disconnect-notify

Configuring Certificate Group Matching for IKEv1

Tunnel groups define user connection terms and permissions. Certificate group matching lets you match
a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate.

Note

Certificate group matching applies to IKEv1 and IKEv2 LAN-to-LAN connections only. IKEv2 remote
access connections support the pull-down group selection configured in the webvpn-attributes of the
tunnel-group and webvpn configuration mode for certificate-group-map, and so on.

To match users to tunnel groups based on these fields of the certificate, you must first create rules that
define a matching criteria, and then associate each rule with the desired tunnel group.

To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use
the tunnel-group command.

You must also configure a certificate group matching policy, specifying to match the group from the
rules, or from the organizational unit (OU) field, or to use a default group for all certificate users. You
can use any or all of these methods.

The following sections provide more information:

•

Creating a Certificate Group Matching Rule and Policy, page 64-17

•

Using the Tunnel-group-map default-group Command, page 64-19

Creating a Certificate Group Matching Rule and Policy

To configure the policy and rules by which certificate-based ISAKMP sessions map to tunnel groups,
and to associate the certificate map entries with tunnel groups, enter the tunnel-group-map command
in global configuration mode.

The syntax follows:

tunnel-group-map enable {rules | ou | ike-id | peer ip}

tunnel-group-map [rule-index] enable policy