cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

899
Views
0
Helpful
4
Replies
Highlighted
Beginner

Anyconnect VPN Authentication

Hi,

I testing the anyconnect VPN capabilities, i am wondering is the following is possible.

1. I have an ASA 5525-X with Anyconnect configured.

2. Radius server has been installed for authentication.

Now I am able to connect to anyconnect VPN with my Mobile Phone and i can access the devices which i need to have access to.

Every time you disconnect from VPN and reconnect you have to put in your username and password to be able to connect. Now this is of course normal. but i would like to now if it is possible to connect to the VPN using a certificate so you dont have to type in your username and password everytime.

It should work like described below.

You connect to the anyconnect VPN, provide your username and password which is stored on the radius server, a certificate will be generated and stored on you mobile phone. So next time you connect to your VPN you do not have to provide username and password anymore. 

Now i know the ASA can run as a local CA server, but then you need to create users in the database, can it work with radius ?

Did anyone set this up before? Or does anyone knows an solution to this ?

Thanks in advance!!

Gr,

JP

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

When using certificates, the ASA needs to trust the issuing Certificate Authority (CA) (or else act as the CA though it's pretty bare bones as one). The user identitity is reflected in that certificate.

You can chose to acept is as the complete single source for identity (username and password) or just partial (say prefill the username in the authentication process from the certificate and make the end user provide a password).

We usually don't do the former as it can be considered a security compromise since anyone with physical possesion of the endpoint can authenticate without any knowledge of the credentials.

In the latter case, you could proxy the password with the username taken from the certificate to your RADIUS server.

One example is found here:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

Another, with certificate being one factor in the authentication is here:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html

View solution in original post

4 REPLIES 4
Highlighted
Hall of Fame Guru

When using certificates, the ASA needs to trust the issuing Certificate Authority (CA) (or else act as the CA though it's pretty bare bones as one). The user identitity is reflected in that certificate.

You can chose to acept is as the complete single source for identity (username and password) or just partial (say prefill the username in the authentication process from the certificate and make the end user provide a password).

We usually don't do the former as it can be considered a security compromise since anyone with physical possesion of the endpoint can authenticate without any knowledge of the credentials.

In the latter case, you could proxy the password with the username taken from the certificate to your RADIUS server.

One example is found here:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

Another, with certificate being one factor in the authentication is here:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html

View solution in original post

Highlighted

Thank you for your response. This also works on IOS / Android phones ?

Highlighted

Hi,

Ok, i have it working for my iphone now. I use the ASA as local CA server. Now i can connect with only certificate. But i had to create a username in the user database, and had to login with that username and the one time password from the ASA.

So i am one step further, no i want to use a radius server instead of the local user database from the CA server. Do you happen to know how to query the Radius server ?

Thanks in advance!

Highlighted

As is implied in the first article I linked, certificate-based authentication (whether the CA is the ASA itself or an external server) is an alternative or additional form other than an external AAA server (RADIUS or LDAP generally).

I could see two alternative scenarios:

1. Add the RADIUS server as the second authentication method. That's the second link I posted earlier. You would have to enter at least the RADIUS user password though.

2. Use a combined backend server as both the CA and authentication server. This would commonly be something like Microsoft Windows server with Certificate Services role (as the CA) and the users who are issued certificates being AD users in the domain.