Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

AnyConnect VPN Authentication and Encryption methods on ASA

Labels:
15392
Views
0
Helpful
1
Comments
Prabhu Nagarajan
Prabhu Nagarajan Beginner
‎11-15-2012 03:20 AM
edited on: ‎08-28-2017 ‎02:10 AM

 

Introduction

This document deals with the different types of authentication methods that can be used for AnyConnect VPN on ASA.

Types of authentication

Following is the list of authentication methods available for AnyConnect VPN:

 

• RADIUS

• RADIUS with Password Expiry (MSCHAPv2) to NT LAN Manager (NTLM)

• RADIUS one-time password (OTP) support (state/reply message attributes)

• RSA SecurID (including SoftID integration)

• Active Directory/Kerberos

• Embedded Certificate Authority (CA)

• Digital Certificate/Smartcard (including Machine Certificate support), auto- or user-selected

• Lightweight Directory Access Protocol (LDAP) with Password Expiry and Aging

• Generic LDAP support

• Combined certificate and username/password multifactor authentication (double authentication).

Encryption Methods

Various encryption methods supported by AnyConnect VPN are listed below:

  • Strong encryption, including AES-256 and 3DES-168. (The security  gateway device must have a strong-crypto license enabled.)

 

  • Next-Generation Encryption, including NSA Suite B algorithms, ESPv3  with IKEv2, 4096-bit RSA keys, Diffie-Hellman group 24, and enhanced  SHA2 (SHA-256 & SHA-384). (Only applies to IPsec IKEv2 connections.  Cisco AnyConnect Premium license required.)

 

From security standpoint, it does not matter much which Encryption method is being used since IKE will anyway encrypt the traffic between the client and the  head end.

 

Reference:

 

Source:https://supportforums.cisco.com/thread/2181165?tstart=0

0 Helpful
Comments
fm network
fm network Beginner
Beginner
‎01-10-2013 06:17 AM
‎01-10-2013 06:17 AM

Hey Buddy,

If I am using AD as ab authentication, can you tell me hot to map proffile with user.

Latest Contents
ASA Cluster: Replace SSP modules
Created by KumarMittal41432 on 09-24-2019 12:42 AM
0
0
0
0
I have 2 ASA 5585-X SSP 40 cluster installed with Oldser generation IPS-SSP-40 modules. The IPS modules are used only for their 10 gig interface capability for the data path, without being used for any IPS functionality. The 10Gig Network Interface on the... view more
ISE posture NON-COMPLIANT not working
Created by peter.matuska1 on 09-23-2019 11:56 PM
0
0
0
0
Hi,we use 2.3, patch 6 at the customer and the problem is following. The posture checks the update of the AM database and if it is older than 30 days, the PC should be noncompliant. The problem is that the posture updates stopped to download since 09/30/2... view more
Cisco Nexus VDC password recovery
Created by Mohamed Kabeer S on 09-23-2019 10:49 PM
0
0
0
0
Dear All, Good day, I have cisco Nexus 7000 series switches with VPC configured. I have 3 VDC configured in each nexus switch and the password for 2 VDC in 1 switch and 3 VDC in another switch includes admin VDC password not working. I have to r... view more
FTD as Proxy
Created by toufiqkorai@gmail.com on 09-23-2019 07:51 PM
0
0
0
0
Hi, Can we use Our FTD2120   FWs as proxy. actually we have Symantec Proxy SG and needs to  move all its functions to  FTD because FTD supports URL/WEB Filtering and can do web filtering. Can we get all types of proxy functio... view more
Migrating ASA HA pair to FTD
Created by Davion Stewart on 09-23-2019 07:47 PM
2
0
2
0
Good night all,  Been checking up the FTD migration tool as soon we will be migrating cisco ASA active/standby pair to FTD appliances.  Based on the Read ME of the Migration Tool (See Link below), it says the following: "The Migration ... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
August's Community Spotlight Awards