Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
1
Replies

AnyConnect Authentication AAA+????

Go to solution
spm
Level 1
Level 1

‎01-10-2011 11:43 AM - edited ‎02-21-2020 05:04 PM

I just setup our ASA to use the AnyConnect client.  Currently users are authenticating using AAA.  I would like to add another layer of security to this.  Ideally what I would like to do is have users login with their username and password as well as have a certificate pre-installed on their laptop/home computer.

I know under the AnyConnect Connection Profiles there is the option of using both AAA and a certificate. I've been searching for documentation on configuring this option but I'm a little unsure about a few things.  Do I just click on the Both option, create a new certificate and associate it with the TrustPoint? Do I need to configure the ASA as a CA server?  I've found a few documents on this subject but one said I need to run Secure Desktop.

Here is some background info:

I followed this guide when I initially setup AnyConnect access.

I'm running an ASA5510 with version 8.2(4) software and ASDM version 6.3(5).

Thanks

Shawn

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rahgovin
Level 4
Level 4

‎01-10-2011 03:06 PM

Hi ,

Inorder to use the option of authenticating using both AAA and certificate you would need

  • The ASA to have a trusted certificate( preferably one from a trusted 3rd party vendor like Verisign) or a Microsoft Ca server cert .
  • The client should have a certificate issued to it, from a CA server(MS). It would be preferable to have the ASA and client issued a cert from the same CA server. ASA as a CA server is also an option but this solution can only be used for ssl vpn not IPSEC.
  • (optional) you can use certifcate to tunnel-group mapings to get the right tunnel group from the certificate
  • (optional) you can also set it up to get the AAA username from the certificate.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
rahgovin
Level 4
Level 4

‎01-10-2011 03:06 PM

Hi ,

Inorder to use the option of authenticating using both AAA and certificate you would need

  • The ASA to have a trusted certificate( preferably one from a trusted 3rd party vendor like Verisign) or a Microsoft Ca server cert .
  • The client should have a certificate issued to it, from a CA server(MS). It would be preferable to have the ASA and client issued a cert from the same CA server. ASA as a CA server is also an option but this solution can only be used for ssl vpn not IPSEC.
  • (optional) you can use certifcate to tunnel-group mapings to get the right tunnel group from the certificate
  • (optional) you can also set it up to get the AAA username from the certificate.
0 Helpful
Customers Also Viewed These Support Documents