topic Anyconnect 2.x, certificates and ACS 5.2 samples in Network Access Control

Anyconnect 2.x, certificates and ACS 5.2 samples

r.spiandorello — Mon, 11 Mar 2019 01:10:27 GMT

Hi, I'm looking for samples about anyconnect 2.x with PKI authentication through ASA 8.x and ACS 5.2.

The CA could be a internal Microsoft CA.

thanks

Anyconnect 3.0 certificates and ACS 5.2 samples

Herbert Baerten — Tue, 21 Jun 2011 09:16:29 GMT

hi rs,

not sure if I understand what you want to achieve. If all you want to do is certificate authentication, you don't need ACS.

In short:

- import the CA cert on the ASA

- configure the tunnel-group to use certificate auth

- make sure the connection lands on the correct tunnel-group (lots of possibilities here, but for a very basic scenario, just use the default tunnel-group).

Is there anything specific you need help with or are you just looking for a step by step guide?

The ASA config guide could be a good start:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html

(I'm assuming you're using an ASA as the head end, if it's an IOS router let me know).

Or is it two-factor authentication that you're after? I.e. users need to authenticate using certificate AND username/password?

hth

Herbert

Anyconnect 3.0 certificates and ACS 5.2 samples

r.spiandorello — Tue, 21 Jun 2011 10:26:27 GMT

Hi Herbert, I want to use ACS 5.2, because I need to use ACS 5.2 as center of AAA for vpn remote-access users, in particular for authorization.

Some remote-access user groups could use ACS username/password authentication, other groups could use certificate authentication.

So, if authentication using certificate and username/password could be the solution, do you have samples ?

thanks

Re: Anyconnect 3.0 certificates and ACS 5.2 samples

r.spiandorello — Wed, 21 Sep 2011 17:21:55 GMT

Hi, I'm still looking for a sample

thanks

Sent from Cisco Technical Support iPhone App

Re: Anyconnect 3.0 certificates and ACS 5.2 samples

Herbert Baerten — Mon, 26 Sep 2011 10:48:30 GMT

Sorry, I was looking for some examples but couldn't really find any basic ones.

Could you clarify what part you need help with?

Re: Anyconnect 3.0 certificates and ACS 5.2 samples

r.spiandorello — Mon, 26 Sep 2011 11:47:22 GMT

Hi, the configuration needed of the ASA is a bit unclear because I need to use radius toward the ACS 5.2, not directly to the Microsoft CA.

Than I'd like to have a sample of the ASC 5.2 configuration.

thank you in advance

Re: Anyconnect 3.0 certificates and ACS 5.2 samples

Herbert Baerten — Mon, 26 Sep 2011 11:52:45 GMT

on my ASA I have:

aaa-server acs2 protocol radius

aaa-server acs2 (inside) host 10.0.0.1

key *****

tunnel-group test type remote-access

tunnel-group test general-attributes

authentication-server-group acs2

On ACS, I've just defined an AAA client with the ip address of my ASA (note, the ip address of the interface facing the ACS) with the same key (aka 'secret').

For ACS 5.2 specifically, I'm afraid I can't help you, but if the above doesn't help, try asking in the forum.

hth

Herbert

Anyconnect 2.x, certificates and ACS 5.2 samples

r.spiandorello — Tue, 27 Sep 2011 14:12:59 GMT

In particular, I have a sample "ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example", document 100413 and I need to place the ACS 5.2 between ASA and Microsoft CA.

In particular, I need to understand how to modify the isakmp and ipsec configuration to use ACS for certificate authentication.

thanks

Re: Anyconnect 3.0 certificates and ACS 5.2 samples

r.spiandorello — Thu, 17 Nov 2011 13:16:49 GMT

Hi, we have realized a pilot with 2-factor authentication (ASA 8.2.x, anyconnect 2.5.x, certificate + AAA) and it's running.

First of all, it's essential to populate the tunnel-group web-attributes with authentication aaa certificate.

About tunnel-group (connection profile) selection: in our pilot we have test the manual selection and the map from certificate fileds.

Is better to fetch it from ACS 5.2 ? How ?

thanks