https://community.cisco.com/t5/network-access-control/user-authentication-with-certificates/m-p/251044#M434883 <P>Hi,</P><P>Following sceniario: user with certificate doing a vpn to vpn concentrator or pix. Authentication is made on ACS 3.2(2).</P><P>VPN users are using certificates for authentication.</P><P>When they connect, the certificate is asimilated with group in vpn conc. or pix. There is no user authentication. I believe should be some user authentication in ACS. Group in vpn conc. is made by the book, but i can't find any option to authenticate user certificate against ACS (second time, i whould say - first time vpn conc. check the certificate). Am i loosing something from this scenario? I need user authentication against ACS for accounting.</P><P>10x</P> Sun, 10 Mar 2019 14:39:29 GMT 8dstaicu 2019-03-10T14:39:29Z https://community.cisco.com/t5/network-access-control/user-authentication-with-certificates/m-p/251044#M434883 <P>Hi,</P><P>Following sceniario: user with certificate doing a vpn to vpn concentrator or pix. Authentication is made on ACS 3.2(2).</P><P>VPN users are using certificates for authentication.</P><P>When they connect, the certificate is asimilated with group in vpn conc. or pix. There is no user authentication. I believe should be some user authentication in ACS. Group in vpn conc. is made by the book, but i can't find any option to authenticate user certificate against ACS (second time, i whould say - first time vpn conc. check the certificate). Am i loosing something from this scenario? I need user authentication against ACS for accounting.</P><P>10x</P> Sun, 10 Mar 2019 14:39:29 GMT https://community.cisco.com/t5/network-access-control/user-authentication-with-certificates/m-p/251044#M434883 8dstaicu 2019-03-10T14:39:29Z https://community.cisco.com/t5/network-access-control/user-authentication-with-certificates/m-p/251045#M434884 <HTML><HEAD></HEAD><BODY><P>I'm going to make a blind stab at this as I don't fully understand your question.</P><P></P><P>Certficates are used to authenticate the VPN client (the software) more so than the user. ACS does not provide certificate authentication. The CA provides validation of the certificate.</P><P></P><P>If you would like the Pix to authenticate a username/password in addition to checking the certificate for accounting purposes, then you'll need to use this:</P><P></P><P>crypto map map-name client authentication aaa-server-name </P><P></P><P>This will make the Pix to authentication of all dynamic VPN clients against the ACS server. It won't provide true accounting though. For that, you must configure the global [aaa authentication] and [aaa accounting] on the Pix.</P></BODY></HTML> Mon, 09 Feb 2004 03:31:42 GMT https://community.cisco.com/t5/network-access-control/user-authentication-with-certificates/m-p/251045#M434884 shannong 2004-02-09T03:31:42Z