2 Factor Options with AnyConnect

jhallam01 · ‎10-19-2016

Hello,

We are currently using the AnyConnect VPN client and want to setup 2 factor authentication. My research shows that there are 2 ways:

1. Token Based. Examples of this would be Duo or Google Authenticator etc

2. Certificate Based. Where the users computer it the 2nd factor through the presence of a certificate.

The company would like to use the certificate based method of 2 factor. I have found quite a few article outlining this through the use of a local CA server to handle user certificates. While this is an option, we would prefer not to have to manage a CA server. The question I was asked (which I don't know the answer to) is "Can we set it up where all users use the same certificate as the 2nd factor instead of each user having a unique certificate?". I know that doing it this way is probably not the "Best practice" way, but is it possible? If it is possible, are there any resources (I couldn't find any) that outline the process for implementation?

Previously we were using IPSec. To login we required the correct credentials, plus a custom profile that was provided to the user by us. The custom profile was not available/accessible to users outside our network. So factor 1 was the users credentials and factor 2 was the profile.

Thanks for the help.

Peter Long · ‎10-19-2016

Use the head end device as the CA Server (i.e. The Firewall)

Securing Cisco SSL VPN’s with Certificates

Pete

jhallam01 · ‎10-19-2016

Thank you for your response.

Was the "Securing Cisco SSL VPN’s with Certificates" supposed to be a link to an article?

bascheew · ‎02-23-2017

I'd like to do the same thing. Did you ever come up with a solution to using the same cert for all users?