Showing results for 
Search instead for 
Did you mean: 


Firepower MFA Client Certificate

Hi all,


My org is looking to implement a per-device or per-user client certificate to accompany uname/pw authentication in AnyConnect. Is it possible to do this in Firepower Management Center? We are interested in preventing our security from being compromised if a user's creds get leaked.


Many thanks for any advice.




Rahul Govindan

Yes. This is possible on an FTD managed via FMC starting with version 6.4


Secondary authentication, also called double authentication, adds an additional layer of security to RA VPN connections by using two different authentication servers. With secondary authentication enabled, AnyConnect VPN users must provide two sets of credentials to log in to the VPN gateway.

RA VPN supports secondary authentication for the AAA Only and Client Certificate and AAA authentication methods.

New/modified screens:

Devices > VPN > Remote Access > add/edit configuration > Connection Profile > AAA area

Supported platforms: FTD


Hi Rahul,


Do you have any links to instructions on how exactly to setup the Client Certificate authentication with FTD? I can see in the FMC GUI where to set this up, but what I don't understand is exactly what certificate is needed on the client in what location/cert store for this to work.


I would like FTD/AnyConnect to require a client certificate that was already deployed to my clients by my MS CA when the devices/users were joined to the domain. Is this possible? Or does the cert have to be deployed by FTD somehow? Or pre-deployed with AnyConnect? I just can;t figure out these details in the Cisco docs. thanks.

The logic for client certificate authentication on FTD is more or less the same as it is for ASA. Have a look a the ASA examples for some sample configs:

The issuer (Certificate Authority or CA) of the client certificates needs to be trusted by the headend.

@Marvin Rhoads wrote:

The issuer (Certificate Authority or CA) of the client certificates needs to be trusted by the headend.

I was able to get AAA+Certificate authentication working on my FTD, though I didn't setup any kind of trust between the FTD and my internal CA. So I am not sure how FTD/AnyConnect is verifying the certificate?


I am using LDAP Realm authentication to my Active Directory. Is FTD using LDAP to verify the cert with my AD? How do I confirm this is what is happening? The documentation from Cisco on how this all works is very lacking.

That's odd - I would expect FTD/FMC to have to trust the issuing CA for the client certificate to be recognized as valid.

If you were using LDAPS I could understand it - but not plain LDAP.