cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

AnyConnect VPN Authentication and Encryption methods on ASA

15392
Views
0
Helpful
1
Comments

 

Introduction

This document deals with the different types of authentication methods that can be used for AnyConnect VPN on ASA.

Types of authentication

Following is the list of authentication methods available for AnyConnect VPN:

 

• RADIUS

• RADIUS with Password Expiry (MSCHAPv2) to NT LAN Manager (NTLM)

• RADIUS one-time password (OTP) support (state/reply message attributes)

• RSA SecurID (including SoftID integration)

• Active Directory/Kerberos

• Embedded Certificate Authority (CA)

• Digital Certificate/Smartcard (including Machine Certificate support), auto- or user-selected

• Lightweight Directory Access Protocol (LDAP) with Password Expiry and Aging

• Generic LDAP support

• Combined certificate and username/password multifactor authentication (double authentication).

Encryption Methods

Various encryption methods supported by AnyConnect VPN are listed below:

  • Strong encryption, including AES-256 and 3DES-168. (The security  gateway device must have a strong-crypto license enabled.)

 

  • Next-Generation Encryption, including NSA Suite B algorithms, ESPv3  with IKEv2, 4096-bit RSA keys, Diffie-Hellman group 24, and enhanced  SHA2 (SHA-256 & SHA-384). (Only applies to IPsec IKEv2 connections.  Cisco AnyConnect Premium license required.)

 

From security standpoint, it does not matter much which Encryption method is being used since IKE will anyway encrypt the traffic between the client and the  head end.

 

Reference:

 

Source:https://supportforums.cisco.com/thread/2181165?tstart=0

Comments
Beginner

Hey Buddy,

If I am using AD as ab authentication, can you tell me hot to map proffile with user.