10-21-2020 05:29 PM
Hi Cisco gurus,
For our AnyConnect VPN, I would like to enable certificate authentication for Microsoft Network Policy Server (NPS) with Cisco ASA.
I have tested and can get username/password auth with NPS, however I want to use certificate auth with NPS. Is this supported by Cisco ASA? If so, anyone can point me to some sample config on ASA + NPS of what I need to setup?
Cheers,
Hunt
10-22-2020 12:23 AM
10-22-2020 12:34 PM
So NPS cannot be used for certificate authentication? Only for authorization?
10-23-2020 12:30 AM
It can, but the certificates management in itself can't be done by the NPS services themselves, for that you need to rely on a CA. NPS can accept EAP-TLS requests, and check the validity of the certificates presented by the clients, if it is valid, will carry on checking the authentication and authorization policies, but I don't believe it can do more in terms of certificate authentication.
10-25-2020 03:33 PM
10-25-2020 04:54 PM - edited 10-25-2020 04:55 PM
Reading again this thread, I think if you use certificate authentication that would be terminated on the ASA and possibly checked against the certificate revocation check through the CA, so your RADIUS server would never be aware about it. What you can try to do is to enable AAA and Certificate, that would allow the users to authenticate by typing their username and password connected to the AD through the RADIUS server, and also through certificate that will be terminated on the ASA.
10-25-2020 05:33 PM
Hi Aref,
I do not want to use username/password auth as these are for my remote mobile users. Hence why I want to use certificate to authenticate.
Cheers,
Hunt
10-25-2020 05:36 PM
Then you can just select certificate only as the authentication method.
10-25-2020 07:53 PM
Hi Aref,
I tried that option before. The ASA will authenticate the user based on their certificate, which is great! Unfortunately, it does not pass the auth request to NPS.
Cheers,
Hunt
10-25-2020 08:23 PM
I don't believe there is a way to allow the ASA to pass the certificate authentication request to the RADIUS server. Even when using ISE, that will still be the case. I think the reason behind this is because in this case the ASA terminates the certificate authentication on itself, so it does not relay it anywhere. Also, as long as you configure the certificate revocation check via the CA, you don't really need to relay the certificate authentication. The ASA will accept the authentication requests only from the clients that have a certificate issued by the trusted CA configured on the ASA for authentication, then, the ASA would check against the CA to ensure the presented certificate is valid. Only if both these checks pass, the authentication is successful.
10-22-2020 03:31 AM
NPS in itself is a RADIUS server, it can't provide certificate authentication services, however, I think you can configure the NPS to accept EAP-TLS requests, but you still need a CA server to act as the PKI authority. From the ASA perspective, in addition to the AnyConnect configuration, you need to create the trust point that will be used for authentication.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide