Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
1
Replies

2fa with locally signed certificate

Infrastructure Team
Level 1
Level 1

‎05-02-2018 06:32 AM - edited ‎03-12-2019 05:15 AM

Hi all, I hope someone can help and share ideas.

 

We currently use Anyconnect VPN with AD and token for authentication, and I'm looking to change this to AD plus certificate.

 

We want to use an AD self signed certificate, which a specific group policy installs on the machine at first join to the domain (for wireless access). 

 

The requirement being, upon connection your AD credentials are verified, then have the DAP for that authentication group on the ASA (9.7) verify the existence of the cert on as an endpoint attribute as part of the authentication process.

 

I've seen many posts about using a proper CA etc, but nothing on how to check for a locally/self signed certificate.

 

Any pointers on how to set this up on the ASA?

 

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎05-02-2018 07:53 AM

Hi,

What you want to do is configure a tunnel-group on the ASA with double authentication (certificate and UN/PW), you don't need to use DAP. When you say use a self signed certificate, I assume you mean a certificate issued by an Internal Windows CA rather than a public CA? If so, this example here shows how to configure a trustpoint on an ASA, enroll for a certificate and configure double authentication.


HTH

0 Helpful
Customers Also Viewed These Support Documents