Anyconnect 2.x, certificates and ACS 5.2 samples

r.spiandorello · ‎06-17-2011

Hi, I'm looking for samples about anyconnect 2.x with PKI authentication through ASA 8.x and ACS 5.2.

The CA could be a internal Microsoft CA.

thanks

rs

Herbert Baerten · ‎06-21-2011

hi rs,

not sure if I understand what you want to achieve. If all you want to do is certificate authentication, you don't need ACS.

In short:

- import the CA cert on the ASA

- configure the tunnel-group to use certificate auth

- make sure the connection lands on the correct tunnel-group (lots of possibilities here, but for a very basic scenario, just use the default tunnel-group).

Is there anything specific you need help with or are you just looking for a step by step guide?

The ASA config guide could be a good start:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html

(I'm assuming you're using an ASA as the head end, if it's an IOS router let me know).

Or is it two-factor authentication that you're after? I.e. users need to authenticate using certificate AND username/password?

hth

Herbert

r.spiandorello · ‎06-21-2011

Hi Herbert, I want to use ACS 5.2, because I need to use ACS 5.2 as center of AAA for vpn remote-access users, in particular for authorization.

Some remote-access user groups could use ACS username/password authentication, other groups could use certificate authentication.

So, if authentication using certificate and username/password could be the solution, do you have samples ?

thanks

r.spiandorello · ‎09-21-2011

Hi, I'm still looking for a sample

thanks

Sent from Cisco Technical Support iPhone App

Herbert Baerten · ‎09-26-2011

Sorry, I was looking for some examples but couldn't really find any basic ones.

Could you clarify what part you need help with?

r.spiandorello · ‎09-26-2011

Hi, the configuration needed of the ASA is a bit unclear because I need to use radius toward the ACS 5.2, not directly to the Microsoft CA.

Than I'd like to have a sample of the ASC 5.2 configuration.

thank you in advance

rs

Herbert Baerten · ‎09-26-2011

on my ASA I have:

aaa-server acs2 protocol radius

aaa-server acs2 (inside) host 10.0.0.1

key *****

tunnel-group test type remote-access

tunnel-group test general-attributes

authentication-server-group acs2

On ACS, I've just defined an AAA client with the ip address of my ASA (note, the ip address of the interface facing the ACS) with the same key (aka 'secret').

For ACS 5.2 specifically, I'm afraid I can't help you, but if the above doesn't help, try asking in the forum.

hth

Herbert

r.spiandorello · ‎09-27-2011

In particular, I have a sample "ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example", document 100413 and I need to place the ACS 5.2 between ASA and Microsoft CA.

In particular, I need to understand how to modify the isakmp and ipsec configuration to use ACS for certificate authentication.

thanks

rs

r.spiandorello · ‎11-17-2011

Hi, we have realized a pilot with 2-factor authentication (ASA 8.2.x, anyconnect 2.5.x, certificate + AAA) and it's running.

First of all, it's essential to populate the tunnel-group web-attributes with authentication aaa certificate.

About tunnel-group (connection profile) selection: in our pilot we have test the manual selection and the map from certificate fileds.

Is better to fetch it from ACS 5.2 ? How ?

thanks

rs