10-21-2021 10:40 AM
Hello,
We are running a ASA 5525 (9.8(4)32 and AnyConnect client 4.10.01075. We are currently using an internal cert and are looking to switch to 3rd party Wildcard cert. In doing so, what means are available to prevent an employee from downloading AnyConnect on their personal device and connect to VPN with the organization credentials?
Second part, are their available options to add another layer of security by enforcing Azure MFA as part of the auth process?
Greatly appreciate any feedback and direction.
10-22-2021 12:03 AM
Add internal CA machine certificate check to authentication. It will easily eliminate any BYOD attempts to Anyconnect. Just make sure workstations are able to renew certificates while connected only through Anyconnect so users will not get locked out after 1y certificates expire.
Azure MFA can be built two ways. Either Radius to local Windows NPS server with Azure connector or direct SAML from ASA. SAML requires Anyconnect Apex licenses.
10-22-2021 05:05 AM
Thank you for the response. We are currently using an Internal CA machine cert today. An external audit reported that that certs validity was too long @ 2 years, so was not sure if we could use a combination of a public cert and still have ASA perform a internal machine cert check to auth. Not currently using public cert.
Appreciate the info on Azure MFA will definitely look into these options.
Thank
10-22-2021 05:31 AM
Not sure if 2y cert validity should be any issue. You should have CRL procedure to block certificates anyway at any time. Or was that 2y validity just an improvement suggestion? I'm not sure what you mean by that public cert, those are just needed for service SSL authenticity check. I haven't seen public certs used for authentication or authorization.
If you already have AzureMFA licenses for end users then that is a great way to authenticate users. Authenticate VPN using combination of machine cert and AzureMFA. Remember to check that you have CRL working on CA certificate so ASA can block any revoked machines. Cert+AzureMFA will require to build AzureMFA using Windows NPS Radius server, because you can't mix and match SAML.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide