Re: Anyconnect Client VPN authentication - Page 3

adamgibs7 · ‎03-30-2018

Dears,

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc7

I m following the above link for anyconnect client vpn double authentication, but the documents is not clear to me so how the double authentication occurs I have mentioned in below steps please correct me if I'm not wrong.

Each user has to generate a signing request from his windows PC ,, the CSR has to signed by the CA and CA Root certificate has to be available as a trustpoint in the ASA to authenticate, but I don’t find any configuration of trustpoint mapping configuration for the tunnel-group which I created becz I don’t want default certificate authentication for all tunnel groups. Also I have one more question here , the user certificate that was signed by CA can be used with multiple users ??? I hope it should not but how each user will be unique from others if they are authenticating by the certificate as an double authentication.

Thanks

Rahul Govindan · ‎04-14-2018

User certificates can be issued from a different CA, does not have to be the same CA that signed the ASA certificate. This is because the client and server certificates are validated separately in an SSL transaction. First the client validates the server (ASA) certificate and the server validates the client (user) certificate. User certificates are usually issued by an internal CA server like MS CA server, while the server certificate is issued by a public trusted CA. If an internal CA signed the ASA cert, you would have to import the CA certificate of that CA into a separate trustpoint on the ASA. The ASA will search all the trustpoints for a CA certificate while validating the client cert.

adamgibs7 · ‎04-15-2018

Dear Rahul

thanks for the reply,

Can u suggest instead of going with internal CA for the clients can I go with Global Sign CA so which type of certificate according to their products I have to purchase their sales are not able to propose, and how the user A will be unique from user b in authentication.

Thanks

Rahul Govindan · ‎04-16-2018

Certificates issued by a public CA like Global Sign are meant for servers and headend devices (ASA in your case). Technically you could have a cert issued to any domain that you own. But the SSL certs issued by these CA's usually only have "Server Authentication" under the extended key usage section under the Cert attributes. For a client certificate, you need to have "Client authentication" under the EKU field of the certificate. Some CA's include both of Server and client authentication, so you may be in luck.

If you use a public CA, you can't really differentiate between 2 users unless you buy a certificate for each user - which makes no sense to do from a cost perspective. You can add the same certificate on multiple machines once you export it as a pkcs12 from the machine that you generated the CSR from. My suggestion would be to look at add the PKI functionality to an existing Windows Server environment.

adamgibs7 · ‎04-17-2018

Thanks for the reply,

so your suggestion is to build a MS CA server on premises and authenticate the clients and the ASA ( trustpoint) by this CA

thanks

Rahul Govindan · ‎04-18-2018

Public CA cert for ASA, MS CA certs for clients. You can also use the ASA Local CA server for clients, but there are concepts and limitations that you need to be aware of before you start generating client certs.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200602-Configure-ASA-as-a-Local-CA-Server-and-A.html