cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
801
Views
0
Helpful
1
Replies
Highlighted
Beginner

Certificate Based Authentication + LDAP MAP

Would it be possible to perform 2 factor authentication in such a way as to require only a certificate but also verify the user is a member of a group within Active Directory?

The goal being for the user to still have to enter nothing for a username and password since anyconnect will look at the user certificate store but in the background also check the username for a permitted group within Active directory.

Everyone's tags (5)
1 REPLY 1
Cisco Employee

Re: Certificate Based Authentication + LDAP MAP

Hi

yes, you can use certificate authentication with LDAP authorization and use either the LDAP MAP or DAP to apply settings based on LDAP attributes (e.g. memberOf).

You may need a feature known as "username-from-certificate" that you can use to specify which field in the certificate the ASA should consider to be the username to send to the LDAP server.

Note that this is not considered 2-factor authentication, since you only use the certificate for authentication, the LDAP lookup is doing authorization only.

If you want to do real 2-factor authentication then you can still use the username-from-certificate feature to pre-fill the username in the login screen, so the user only needs to enter his password.

hth

Herbert