Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
0
Helpful
5
Replies

AnyConnect password

pronin_sergey
Level 1
Level 1

‎01-09-2013 01:22 AM

Hello guys,

we have ASA5510 with AnyConnect and Clientless VPN enabled on.

The authentication and authorization goes through AAA server, based on information retrieved from client's eToken.

On login page of clientless VPN I should choose an alias and enter password. The password could be anything. Literally anything.

Is there a way to disable the password request?

I've tried to remove the checkbox from Configuration -> Remote Access VPN - > Clientless SSL VPN Access -> Connection profiles -> "Allow user to select connection profile ....".

This enables DefaultWEBVPNGroup profile. Yeah, drop down menu with alias selection disappears, but I still should enter the password.

Is there a way to remove this password request?

--

Regards,

Sergey

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎01-09-2013 02:37 AM

If you don't want to use any passwords for your VPN, then you have to deploy client-certificates to your users. With these the users can also be authenticated.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

pronin_sergey
Level 1
Level 1
In response to Karsten Iwen

‎01-09-2013 03:37 AM

Karsten, does this mean that I should add a certificate for each user?

I have few CA certificates. If user "matches" one of these certs, I let this user to try to authenticate and authorize on AAA server.

--

Regards,

Sergey

0 Helpful

Karsten Iwen
VIP
VIP
In response to pronin_sergey

‎01-09-2013 03:50 AM

Yes, you can use the ASA as a CA-server (unless you run Failover where the local CA is not supported) or you use a separate CA like the one included in Windows Server. Each user/device is enrolled with a certificate. If that user connects, the ASA can be configured to don't prompt for a username/password and just let the user in.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

pronin_sergey
Level 1
Level 1
In response to Karsten Iwen

‎01-09-2013 04:49 AM

Thanks.

I guess I get it now.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to pronin_sergey

‎01-15-2013 04:57 PM

You could check this out:

AnyConnect Certificate Based Authentication

Hope to help

Portu.

Please rate any helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents