ASA AnyConnect double authentication with machine and user certificate

Marcus Hunold · ‎04-04-2014

Hello,

basics: newest ASA/AnyConnect software and Windows Client

I wanna do the following:

First Authentication with user certificate - checking for user
Second Authentication with machine certificate - checking for company hardware

(No interaction from user during connection establishing necessary.)

By default "Connection Profiles" configuration it is only possible to configure authentication methods "both" which means certificate and AAA which means username + password/passcode.

Is there a way to implement double certificate authentication as mentioned anyway?

Maybe with help/support from DAP or SDM - Prelogin Policy.

Regards Marcus

Michael Muenz · ‎04-04-2014

You could check for secret registry keys with prelogin policy to verfy if it's company hardware.

Michael Please rate all helpful posts

Marvin Rhoads · ‎04-04-2014

On your connection profile editing window, go under "advanced". There you have the option of specifying a secondary authentication method independent of the primary method. Using that approach, you can specify certificate method for both authentications.

As noted, you could also have a prelogin policy (DAP) to check for various files (or even their hash for greater security) registry keys, etc. For instance, you could check that the machine is a domain machine (independent of the user).

loop101010 · ‎04-16-2014

We're having a similar problem.

We are using two factor authentication by checking computer certificate and username/password (LDAP). This works just fine for the majority of our employees.

Now we are trying to implement an exception for a few users. Those should be able to authenticate by "user certificates" (or better computer and user certificates).

DAP is not an option, due to Essentials license.

Ideas?

farkhan minhas · ‎11-19-2014

Hi,

I am trying to implement dual authentication (ldap + computer certificate) base. Currently "LDAP" authentication is perfectly fine but when I am going to implement computer certificate base authentication, so anyconnect showing some error, now it is requested to you kindly send me any URL for the reference "how to implement" or guide me.

Your kind support is required.

guibarati · ‎09-30-2014

Hi Marvin,

Can you tell us what would be the parameters to check if it's a domain machine?

How can we tell anyconnect to send machine information?

Thank you!

Marvin Rhoads · ‎09-30-2014

You need to use Cisco Secure Desktop to scan the host and send back the registry key that identifies the domain to which the machine has been joined. An example of how to do so are in this document.

jchimeno · ‎06-01-2021

Hello

I see that post; but I need a more detalied to perform the configuration similar that is in the subject.

An always-on VPN with Cisco AnyConnect application

Firts -> A machine certificate to create the first connectivity with the ASA that it contains the rootCA certificate.

Second -> A user certificate with SCEP to NDES. Once the user is logged in a corporate machine; we needt that user is allowed with the Active Directory. If the certificate is in the laptop -> OK. If not, use SCEP proxy to get the certificate from the NDES.

Could you give us a clue to deploy that configuration?.

Thank you in advance.

swapsakker · ‎04-07-2014

I have almost same situation and need a bit help.

I have a ASA5520 and now it is possible to connect to Anyconnect using ether user/pass or machine certificat. But how do i set it up so, that it first check the mashine certificat, and if it is not pressent then it ask for user/pass ?