cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3342
Views
5
Helpful
5
Replies

Firepower MFA Client Certificate

MarkRowe
Level 1
Level 1

Hi all,

 

My org is looking to implement a per-device or per-user client certificate to accompany uname/pw authentication in AnyConnect. Is it possible to do this in Firepower Management Center? We are interested in preventing our security from being compromised if a user's creds get leaked.

 

Many thanks for any advice.

 

Regards,

Mark

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

Yes. This is possible on an FTD managed via FMC starting with version 6.4

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/relnotes/firepower-release-notes-640/features.html

 

Secondary authentication, also called double authentication, adds an additional layer of security to RA VPN connections by using two different authentication servers. With secondary authentication enabled, AnyConnect VPN users must provide two sets of credentials to log in to the VPN gateway.

RA VPN supports secondary authentication for the AAA Only and Client Certificate and AAA authentication methods.

New/modified screens:

Devices > VPN > Remote Access > add/edit configuration > Connection Profile > AAA area

Supported platforms: FTD

 

Hi Rahul,

 

Do you have any links to instructions on how exactly to setup the Client Certificate authentication with FTD? I can see in the FMC GUI where to set this up, but what I don't understand is exactly what certificate is needed on the client in what location/cert store for this to work.

 

I would like FTD/AnyConnect to require a client certificate that was already deployed to my clients by my MS CA when the devices/users were joined to the domain. Is this possible? Or does the cert have to be deployed by FTD somehow? Or pre-deployed with AnyConnect? I just can;t figure out these details in the Cisco docs. thanks.

The logic for client certificate authentication on FTD is more or less the same as it is for ASA. Have a look a the ASA examples for some sample configs:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html

The issuer (Certificate Authority or CA) of the client certificates needs to be trusted by the headend.


@Marvin Rhoads wrote:

The issuer (Certificate Authority or CA) of the client certificates needs to be trusted by the headend.


I was able to get AAA+Certificate authentication working on my FTD, though I didn't setup any kind of trust between the FTD and my internal CA. So I am not sure how FTD/AnyConnect is verifying the certificate?

 

I am using LDAP Realm authentication to my Active Directory. Is FTD using LDAP to verify the cert with my AD? How do I confirm this is what is happening? The documentation from Cisco on how this all works is very lacking.

That's odd - I would expect FTD/FMC to have to trust the issuing CA for the client certificate to be recognized as valid.

If you were using LDAPS I could understand it - but not plain LDAP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: