topic Re: Enable certificate authentication for NPS on ASA in Network Security

Enable certificate authentication for NPS on ASA

HuntLee304798 — Thu, 22 Oct 2020 00:29:40 GMT

Hi Cisco gurus,

For our AnyConnect VPN, I would like to enable certificate authentication for Microsoft Network Policy Server (NPS) with Cisco ASA.

I have tested and can get username/password auth with NPS, however I want to use certificate auth with NPS. Is this supported by Cisco ASA? If so, anyone can point me to some sample config on ASA + NPS of what I need to setup?

Cheers,

Hunt

Re: Enable certificate authentication for NPS on ASA

Mohammed al Baqari — Thu, 22 Oct 2020 07:23:54 GMT

Hi,

If you are referring to anyconnect client authentication using certificate
instead of username/password, yes this is supported. The authentication
will be verified by the CA server (not the NPS). NPS can be used for
authorization and download attributes after successful authentication.

https://community.cisco.com/t5/security-blogs/anyconnect-certificate-based-authentication/ba-p/3105546

**** please remember to rate useful posts

Re: Enable certificate authentication for NPS on ASA

Aref Alsouqi — Thu, 22 Oct 2020 10:31:21 GMT

NPS in itself is a RADIUS server, it can't provide certificate authentication services, however, I think you can configure the NPS to accept EAP-TLS requests, but you still need a CA server to act as the PKI authority. From the ASA perspective, in addition to the AnyConnect configuration, you need to create the trust point that will be used for authentication.

Re: Enable certificate authentication for NPS on ASA

HuntLee304798 — Thu, 22 Oct 2020 19:34:58 GMT

So NPS cannot be used for certificate authentication? Only for authorization?

Re: Enable certificate authentication for NPS on ASA

Aref Alsouqi — Fri, 23 Oct 2020 07:30:53 GMT

It can, but the certificates management in itself can't be done by the NPS services themselves, for that you need to rely on a CA. NPS can accept EAP-TLS requests, and check the validity of the certificates presented by the clients, if it is valid, will carry on checking the authentication and authorization policies, but I don't believe it can do more in terms of certificate authentication.

Re: Enable certificate authentication for NPS on ASA

HuntLee304798 — Sun, 25 Oct 2020 22:33:22 GMT

Hi Aref,

In ASDM, i can see that there are six (6) options for authentication. Which one should I choose so that the ASA will send EAP-TLS requests to Microsoft NPS?

AAA
AAA and Certificate
Certificate Only
SAML
Multiple Certificate and AAA
Multiple Certificate

Cheers,

Hunt

Re: Enable certificate authentication for NPS on ASA

Aref Alsouqi — Sun, 25 Oct 2020 23:55:42 GMT

Reading again this thread, I think if you use certificate authentication that would be terminated on the ASA and possibly checked against the certificate revocation check through the CA, so your RADIUS server would never be aware about it. What you can try to do is to enable AAA and Certificate, that would allow the users to authenticate by typing their username and password connected to the AD through the RADIUS server, and also through certificate that will be terminated on the ASA.

Re: Enable certificate authentication for NPS on ASA

HuntLee304798 — Mon, 26 Oct 2020 00:33:03 GMT

Hi Aref,

I do not want to use username/password auth as these are for my remote mobile users. Hence why I want to use certificate to authenticate.

Cheers,

Hunt

Re: Enable certificate authentication for NPS on ASA

Aref Alsouqi — Mon, 26 Oct 2020 00:36:04 GMT

Then you can just select certificate only as the authentication method.

Re: Enable certificate authentication for NPS on ASA

HuntLee304798 — Mon, 26 Oct 2020 02:53:45 GMT

Hi Aref,

I tried that option before. The ASA will authenticate the user based on their certificate, which is great! Unfortunately, it does not pass the auth request to NPS.

Cheers,

Hunt

Re: Enable certificate authentication for NPS on ASA

Aref Alsouqi — Mon, 26 Oct 2020 03:23:43 GMT

I don't believe there is a way to allow the ASA to pass the certificate authentication request to the RADIUS server. Even when using ISE, that will still be the case. I think the reason behind this is because in this case the ASA terminates the certificate authentication on itself, so it does not relay it anywhere. Also, as long as you configure the certificate revocation check via the CA, you don't really need to relay the certificate authentication. The ASA will accept the authentication requests only from the clients that have a certificate issued by the trusted CA configured on the ASA for authentication, then, the ASA would check against the CA to ensure the presented certificate is valid. Only if both these checks pass, the authentication is successful.