Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AnyConnect VPN Authentication and Encryption methods on ASA

Labels:
21842
Views
0
Helpful
1
Comments
Prabhu Nagarajan
Beginner
‎11-15-2012 03:20 AM
edited on: ‎08-28-2017 ‎02:10 AM

 

Introduction

This document deals with the different types of authentication methods that can be used for AnyConnect VPN on ASA.

Types of authentication

Following is the list of authentication methods available for AnyConnect VPN:

 

• RADIUS

• RADIUS with Password Expiry (MSCHAPv2) to NT LAN Manager (NTLM)

• RADIUS one-time password (OTP) support (state/reply message attributes)

• RSA SecurID (including SoftID integration)

• Active Directory/Kerberos

• Embedded Certificate Authority (CA)

• Digital Certificate/Smartcard (including Machine Certificate support), auto- or user-selected

• Lightweight Directory Access Protocol (LDAP) with Password Expiry and Aging

• Generic LDAP support

• Combined certificate and username/password multifactor authentication (double authentication).

Encryption Methods

Various encryption methods supported by AnyConnect VPN are listed below:

  • Strong encryption, including AES-256 and 3DES-168. (The security  gateway device must have a strong-crypto license enabled.)

 

  • Next-Generation Encryption, including NSA Suite B algorithms, ESPv3  with IKEv2, 4096-bit RSA keys, Diffie-Hellman group 24, and enhanced  SHA2 (SHA-256 & SHA-384). (Only applies to IPsec IKEv2 connections.  Cisco AnyConnect Premium license required.)

 

From security standpoint, it does not matter much which Encryption method is being used since IKE will anyway encrypt the traffic between the client and the  head end.

 

Reference:

 

Source:https://supportforums.cisco.com/thread/2181165?tstart=0

0 Helpful
Comments
fm network
Beginner
Beginner
‎01-10-2013 06:17 AM
‎01-10-2013 06:17 AM

Hey Buddy,

If I am using AD as ab authentication, can you tell me hot to map proffile with user.

Latest Contents
what 's AnyConnect_Client_Local_Print ACL?
Created by Fotit on 03-07-2021 06:03 AM
2
0
2
0
ASA9.1(5)ASDM 771I used vpn wizards to configure ssl vpn client ( AnyConnect)1- when i try to transfer operations on the asa device, i see this "big list" of commands called AnyConnect_Client_Local_Print ACL !!I couldn't not cancel it and i don't und... view more
Cisco ASA AnyConnect behind another firewall
Created by wayne loh on 03-07-2021 03:11 AM
4
0
4
0
Hi All, Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this ... view more
ISE Posture Status - Compliant to Unknown
Created by Mohammad Raza Meer on 03-06-2021 06:38 AM
0
5
0
5
Hello All, I am facing issue in Cisco ISE for Wired Users and would like to get your help. Below are the details 1. We are using ISE version 2.7. 2. Two different series of Cisco Switches 2960x and 9200 3. No issue faced by users who a... view more
CISCO-ISE-Essentials-VLAN
Created by abdulkarim041 on 03-06-2021 06:09 AM
1
5
1
5
 Hi, Can any one confirm,  ISE Essentials license is enough to put a end host in required VLAN?  BR 
ISE-Device admin- License
Created by abdulkarim041 on 03-06-2021 02:48 AM
3
0
3
0
hi, is L-ISE-TACACS-ND= part number under eol? I am unable to qoute it in CCW tool.  BR
Content for Community-Ad