Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
3
Replies

AnyConnect and public cert

ITSupport16
Level 1
Level 1

‎10-21-2021 10:40 AM

Hello,

 

We are running a ASA 5525 (9.8(4)32 and AnyConnect client 4.10.01075.  We are currently using an internal cert and are looking to switch to 3rd party Wildcard cert.  In doing so, what means are available to prevent an employee from downloading AnyConnect on their personal device and connect to VPN with the organization credentials?

 

Second part, are their available options to add another layer of security by enforcing Azure MFA as part of the auth process?

Greatly appreciate any feedback and direction.

 

Labels:
0 Helpful
3 Replies 3

msegersvard
Level 1
Level 1

‎10-22-2021 12:03 AM

Add internal CA machine certificate check to authentication. It will easily eliminate any BYOD attempts to Anyconnect. Just make sure workstations are able to renew certificates while connected only through Anyconnect so users will not get locked out after 1y certificates expire.

 

Azure MFA can be built two ways. Either Radius to local Windows NPS server with Azure connector or direct SAML from ASA. SAML requires Anyconnect Apex licenses.

0 Helpful

ITSupport16
Level 1
Level 1
In response to msegersvard

‎10-22-2021 05:05 AM

Thank you for the response.  We are currently using an Internal CA machine cert today.  An external audit reported that that certs validity was too long @ 2 years, so was not sure if we could use a combination of a public cert and still have ASA perform a internal machine cert check to auth.  Not currently using public cert.

 

Appreciate the info on Azure MFA will definitely look into these options.

 

Thank

0 Helpful

msegersvard
Level 1
Level 1
In response to ITSupport16

‎10-22-2021 05:31 AM

Not sure if 2y cert validity should be any issue. You should have CRL procedure to block certificates anyway at any time. Or was that 2y validity just an improvement suggestion? I'm not sure what you mean by that public cert, those are just needed for service SSL authenticity check. I haven't seen public certs used for authentication or authorization.

If you already have AzureMFA licenses for end users then that is a great way to authenticate users. Authenticate VPN using combination of machine cert and AzureMFA. Remember to check that you have CRL working on CA certificate so ASA can block any revoked machines. Cert+AzureMFA will require to build AzureMFA using Windows NPS Radius server, because you can't mix and match SAML.

0 Helpful
Customers Also Viewed These Support Documents