Enabling SSL VPNs (WebVPN) on Cisco IOS Devices
Enabling SSL VPNs on Cisco IOS Software is relatively straightforward and consists of eight basic steps:
Step 1. |
Configure domain name and name server addresses.
|
Step 2. |
Configure remote AAA for remote access user login authentication.
|
Step 3. |
Enroll with a CA and obtain an identity certificate.
|
Step 4. |
Enable WebVPN.
|
Step 5. |
Configure basic SSL parameters.
|
Step 6. |
Customize login and home pages (optional).
|
Step 7. |
Specify URLs.
|
Step 8. |
Configure port forwarding.
|
These steps are described in detail in the sections that follow.
Step 1: Configure Domain Name and Name Server Addresses
The first step in configuring a Cisco IOS SSL remote access VPN gateway is to configure the default domain name and name server IP addresses. Example 10-1 shows the configuration of the default domain name and name server IP address.
Example 10-1. Configuration of the Default Domain Name and DNS Server IP Address
! ip domain name mjlnet.com ip name-server 10.10.10.55 ! |
The ip domain name name command is used to configure the default domain name that the router uses to complete any unqualified host names.
The ip name-server server-address1 [server-address2...serveraddress6] command configures the IP addresses of up to six name servers.
Step 2: Configure Remote AAA for Remote Access User Login Authentication
Example 10-2 shows the configuration of remote AAA for remote access user authentication.
Example 10-2. Configuration of Remote AAA for Remote Access User Authentication
! aaa new-model (line 1) ! ! aaa group server radius sslauth (line 2) server 10.10.10.51 auth-port 1645 acct-port 1646 (line 3) ! aaa authentication login default group sslauth (line 4) ! radius-server key mjlnetkey (line 5) ! |
The aaa new-model command (line 1) enables authentication, authorization, and accounting.
The aaa group server radius group-name command in line 2 is then used to configure a group of RADIUS servers. In this case, the name of the group of servers is sslauth.
In line 3, the server ip-address [auth-port port-number] [acct-port port-number] command is then used to specify the IP addresses of RADIUS servers in the group, along with the ports used for authentication/authorization (auth-port) and accounting (acct-port). In this case, there is only one server in the group (10.10.10.51), and the ports used for AAA are the defaults (1645 and 1646).
The aaa authentication login [default | method-list-name] group group-name command (line 4) configures login authentication using the default method list and the (previously created) RADIUS server group called sslauth. Login authentication is required for SSL remote access VPN users.
Note that it is possible to configure local authentication for SSL remote access VPN users using the aaa authentication login [default | method-list-name] local command in conjunction with a local username/password database configured using the username username password password command.
In a practical sense, however, a local username/password database is much more difficult to administer than a local user database on a VPN 3000 concentratorthis is why RADIUS is recommended when configuring SSL remote access VPNs using Cisco IOS Software. RADIUS can also be used for WebVPN on the VPN 3000 concentrator.
Finally, the radius-server key {0 string | 7 string | string} command in line 5 configures the key that is used to authenticate communications between the router and the RADIUS server (as well as encrypting user passwords sent to the server).
Step 3: Enroll the IOS Router with a CA and Obtain an Identity Certificate
Enrolling the Cisco IOS router with a CA and obtaining an identity certificate consists of the following:
- Setting the time on the Cisco IOS router
- Configuring the router's host name and IP domain name
- Generating RSA keys on the router
- Declaring the CA
- Authenticating the CA
- Enrolling the router with the CA
These tasks are described in detail in the section "IKE Digital Signature Authentication," starting on page 448 in Chapter 6, "Deploying Site-to-Site IPsec VPNs."
Step 4: Enable WebVPN
As shown in Example 10-3, the webvpn enable global configuration mode command is used to enable SSL remote access VPNs (WebVPN).
Example 10-3. Enabling SSL Remote Access VPNs (WebVPN)
mjlnet.vpn.gw.02#conf t Enter configuration commands, one per line. End with CNTL/Z. mjlnet.vpn.gw.02(config)#webvpn enable mjlnet.vpn.gw.02(config)#exit mjlnet.vpn.gw.02# |
It is worth noting that if the Cisco IOS device is configured as a HTTP secure (HTTPS) server, it is necessary to add the gateway-addr ip-address parameter along with the webvpn enable command (webvpn enable gateway-addr ip-address). This parameter causes WebVPN to be only enabled on the (interface) IP address specified.
Step 5: Configure Basic SSL Parameters
Having enabled WebVPN, the next step is to configure basic SSL parameters, including cryptographic algorithms (and associated cipher suites), and specify the SSL trustpoint.
Example 10-4 shows the configuration of basic SSL parameters.
Example 10-4. Configuration of Basic SSL Parameters
! webvpn ssl encryption 3des-sha1 ssl trustpoint sslcert ! |
The webvpn global configuration command is used to enter WebVPN configuration mode.
Next is the ssl encryption [3des-sha1] [des-sha1] [rc4-md5] command. This command specifies the encryption and hashing algorithms that the router will accept from the client as constituents of cipher suites.
So, when a client proposes a number of cipher suites in its ClientHello message, the router will accept one of those that uses the algorithms that you specify using the ssl encryption command. The accepted cipher suite is, as previously described, sent to the client in the ServerHello messagesee the section, "Establishing an SSL Connection Between a Remote Access VPN User and an SSL VPN Gateway Using an RSA Handshake" earlier in this chapter for more information of the proposal and acceptance of cipher suites.
The ssl trustpoint trustpoint-name command specifies the PKI trustpoint, which in turn configures parameters (including the certificates, CRL configuration, and so on) that are used for authentication during the SSL RSA handshake. Make sure that the trustpoint name configured using the ssl trustpoint-name corresponds to that specified using the crypto pki trustpoint name command in Step 3.
Step 6: Customize Login and Home Pages (Optional)
As a final, optional, configuration step, it is also possible to customize the appearance of the WebVPN login and home pages using your own text and colors. Example 10-5 includes the commands that can be used to customize the text in login and home pages.
Example 10-5. Commands Used to Customize the Login and Home Pages
! webvpn title "TITLE.here" url-list "URL.List" heading "HEADING.here" login-message "LOGIN.Message.here" ! |
The effect of the commands shown in Example 10-5 is best illustrated by examining Figures 10-51 and 10-52.
Figure 10-51. Customizing Text in the WebVPN Login Page
Figure 10-52. Customizing Text in the WebVPN Home Page
A quick comparison between Example 10-5 and Figure 10-51 shows that the title title-string command can be used to specify the HTML title string in the top right corner of the WebVPN login screen.
The login-message message-string command is used to specify the text in the login box in the upper centre of the login screen.
In Figure 10-52, you can see that heading heading-string command is used to configure the text heading on upper left of the home page.
Finally, the text specified in the url-list list-name command is placed on the left of the home page and within the floating toolbar (shown in the lower right in Figure 10-52). URLs that a user can access are listed below this text.
Colors in the login and home pages can also be modified using the following commands:
- title-color color Configures the color of the title bars of the login and home pages.
The color parameter can be specified as comma-separated red, blue, green values; as HTML color values, beginning with a hash character (#); or the name of an HTML color, with no spaces.
For more information on HTML color values, do a search using your favorite Internet search enginea huge number of sites describe these values.
- text-color [black | white] This command is used to specify the color of the text in the title bars.
- secondary-color color Use this command to specify the color of the secondary title bars of the login and home pages. The color parameter is specified in the same way as with the title-color command.
- secondary-text-color [black | white] This specifies the color of the text in the secondary bars.
One final command that you can use to customize the appearance of the login and home pages is logo [file filename | none]. As you can probably guess, this command can be used to specify the logo image that is used (in place of the default Cisco logo in Figures 10-51 and 10-52). The image specified must be JPG, GIF, or PNG or a size less than 100k. The filename parameter is used to specify both the location and name of the image file.
Step 7: Specify URLs
The url-text text url-value url to configure the URLs that remote access users can access. The text parameter is used to specify the text that users can click to access the specified URLthe URL itself is specified with the url parameter. The text specified using this command displays under the text configured using the url-list command discussed in the previous section.
Example 10-6 shows some examples of the use of the url-text command.
Example 10-6. Specifying URLs Using the url-text Command
! webvpn url-list "URL.List" url-text "URL.TEXT" url-value "http://www.mjlnet.com/engineering" url-text "URL.TEXT2" url-value "http://www.mjlnet.com/designs" url-text "URL.TEXT3" url-value "http://www.mjlnet.com/projects" ! |
Step 8: Configure Port Forwarding
It is also possible to configure port forwarding on a Cisco IOS router. To configure this feature, use the port-forward {list list-name} {local-port port-number} {remote-server server-name-or-ip-address} {remote-port port-number} command, as shown in Example 10-7.
Example 10-7. Configuring Port Forwarding
! webvpn port-forward list terminal-services local-port 3389 remote-server 10.10.10.52 remote-port 3389 ! |
If you compare the port-forward command shown in Example 10-7 to the example of TCP port forwarding described in the section "Enabling TCP Applications over Clientless SSL Remote Access VPNs" earlier in this chapter (see page 937), you will see that the command syntax is fairly self-explanatory:
- The list-name parameter configures a name that identifies a TCP application and is displayed in the Application Access window on the client.
- The local-port parameter is used to specify TCP port of traffic on a client that is redirected over SSL to the Cisco IOS router
- The server-name-or-ip-address parameter specifies the DNS name or IP address of the TCP application server
- The remote port parameter specifies the TCP port of the application on the application server.
Example 10-7 shows the configuration of port forwarding for a Windows Terminal Server (10.10.10.52) using the default TCP port 3389.