02-16-2017 09:36 PM - edited 02-21-2020 09:09 PM
I'm looking into implementing anyconnect on ASA, in the most secure way possible.
I'm thinking of using certificates as the first form of authentication and Radius as the second one.
The reason why I am considered of adding Radius authentication along with certificate authentication, is that I want users to be prevented from accessing the network as soon as their account is disabled, instead of having to revoke their certificates and wait (or force) for the CRL update.
The question is whether adding Radius is considered safe, given that it uses MSCHAPv2 which is considered weak nowadays.
Solved! Go to Solution.
02-17-2017 07:25 AM
The Authentication data between the ASA and client is going to encrypted in a TLS channel, so from a security standpoint, there is an added layer to protect that transaction. Adding AAA + certificate is definitely a plus over just having AAA or certificate. Radius is the more commonly used AAA protocol in these deployments. But if you are using AD, LDAPs should provide more security as it also flows encrypted in the backend.
You can also had a 2 factor aspect to AAA by adding the username from certificate feature so that the certificate and credentials both need to be from the same user for it to work. Another option is to use Radius in conjunction with token server so that there is some OOB security also added in place.
02-17-2017 07:25 AM
The Authentication data between the ASA and client is going to encrypted in a TLS channel, so from a security standpoint, there is an added layer to protect that transaction. Adding AAA + certificate is definitely a plus over just having AAA or certificate. Radius is the more commonly used AAA protocol in these deployments. But if you are using AD, LDAPs should provide more security as it also flows encrypted in the backend.
You can also had a 2 factor aspect to AAA by adding the username from certificate feature so that the certificate and credentials both need to be from the same user for it to work. Another option is to use Radius in conjunction with token server so that there is some OOB security also added in place.
02-19-2017 04:11 AM
Thanks for your answer Rahul. I assume that AnyConnect still doesn't support Radius authentication purely based on certificates, in the way that wireless controllers do.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide