Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2950
Views
0
Helpful
2
Replies

anyconnect authentication method: AAA and certificate

Go to solution
Vag
Level 1
Level 1

‎02-16-2017 09:36 PM - edited ‎02-21-2020 09:09 PM

I'm looking into implementing anyconnect on ASA, in the most secure way possible.

I'm thinking of using certificates as the first form of authentication and Radius as the second one.

The reason why I am considered of adding Radius authentication along with certificate authentication, is that I want users to be prevented from accessing the network as soon as their account is disabled, instead of having to revoke their certificates and wait (or force) for the CRL update.

The question is whether adding Radius is considered safe, given that it uses MSCHAPv2 which is considered weak nowadays.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-17-2017 07:25 AM

The Authentication data between the ASA and client is going to encrypted in a TLS channel, so from a security standpoint, there is an added layer to protect that transaction. Adding AAA +  certificate is definitely a plus over just having AAA or certificate. Radius is the more commonly used AAA protocol in these deployments. But if you are using AD, LDAPs should provide more security as it also flows encrypted in the backend.

You can also had a 2 factor aspect to AAA by adding the username from certificate feature so that the certificate and credentials both need to be from the same user for it to work. Another option is to use Radius in conjunction with token server so that there is some OOB security also added in place.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-17-2017 07:25 AM

The Authentication data between the ASA and client is going to encrypted in a TLS channel, so from a security standpoint, there is an added layer to protect that transaction. Adding AAA +  certificate is definitely a plus over just having AAA or certificate. Radius is the more commonly used AAA protocol in these deployments. But if you are using AD, LDAPs should provide more security as it also flows encrypted in the backend.

You can also had a 2 factor aspect to AAA by adding the username from certificate feature so that the certificate and credentials both need to be from the same user for it to work. Another option is to use Radius in conjunction with token server so that there is some OOB security also added in place.

0 Helpful

Go to solution
Vag
Level 1
Level 1
In response to Rahul Govindan

‎02-19-2017 04:11 AM

Thanks for your answer Rahul. I assume that AnyConnect still doesn't support Radius authentication purely based on certificates, in the way that wireless controllers do.

0 Helpful
Customers Also Viewed These Support Documents