64-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring Certificate Group Matching for IKEv1
For example:
hostname(config)# crypto isakmp disconnect-notify
Configuring Certificate Group Matching for IKEv1
Tunnel groups define user connection terms and permissions. Certificate group matching lets you match
a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate.
Note Certificate group matching applies to IKEv1 and IKEv2 LAN-to-LAN connections only. IKEv2 remote
access connections support the pull-down group selection configured in the webvpn-attributes of the
tunnel-group and webvpn configuration mode for certificate-group-map, and so on.
To match users to tunnel groups based on these fields of the certificate, you must first create rules that
define a matching criteria, and then associate each rule with the desired tunnel group.
To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use
the tunnel-group command.
You must also configure a certificate group matching policy, specifying to match the group from the
rules, or from the organizational unit (OU) field, or to use a default group for all certificate users. You
can use any or all of these methods.
The following sections provide more information:
Creating a Certificate Group Matching Rule and Policy, page64-17
Using the Tunnel-group-map default-group Command, page64-19

Creating a Certificate Group Matching Rule and Policy

To configure the policy and rules by which certificate-based ISAKMP sessions map to tunnel groups,
and to associate the certificate map entries with tunnel groups, enter the tunnel-group-map command
in global configuration mode.
The syntax follows:
tunnel-group-map enable {rules | ou | ike-id | peer ip}
tunnel-group-map [rule-index] enable policy