Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
5
Helpful
2
Replies

AnyConnect Machine Cert Flow?

Go to solution
gilbert.aispuro1
Level 1
Level 1

‎09-10-2020 03:21 PM

Hello,

 

I have a pair of FP 2110's and I'm looking to implement Machine Cert Authentication with AnyConnect. What I'm looking for is if someone can give me a step by step breakdown of how the authentication works. I imagine it's the same process as the ASAs.

For example, How does the Machine get a cert, GPO push?

If I enabled AC with Machine Cert Auth, how does that machine authenticate? Does it ask my Firepower to relay authentication to  our on-prem CA Server? If so, what Cert does the FP need?

How many Certs are needed? One created on the CA and then that is on the FP for auth?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-10-2020 08:23 PM

Hi

 

Here a link explaining how to install certificate on FTD device:

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_certificate_based_authentication.html

 

You'll need to install the CA certificate on the FTD and enroll the device with an identity certificate coming from the same CA that will give machine certificates.

Then you'll need to push the certificates to machines through GPO.

 

The authentication occurs on the FTD device only like asa.

However, you can use a radius server for authorization by pulling the CN field for example (could be another field) and check it against your radius for authorization before granting access to the network for the machine.

 

The process is exacty the same as asa except ftd doesn't proxify the scep request for user certificate which has to be done sepay using GPO.

 

 

 

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-10-2020 08:23 PM

Hi

 

Here a link explaining how to install certificate on FTD device:

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_certificate_based_authentication.html

 

You'll need to install the CA certificate on the FTD and enroll the device with an identity certificate coming from the same CA that will give machine certificates.

Then you'll need to push the certificates to machines through GPO.

 

The authentication occurs on the FTD device only like asa.

However, you can use a radius server for authorization by pulling the CN field for example (could be another field) and check it against your radius for authorization before granting access to the network for the machine.

 

The process is exacty the same as asa except ftd doesn't proxify the scep request for user certificate which has to be done sepay using GPO.

 

 

 

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
gilbert.aispuro1
Level 1
Level 1
In response to Francesco Molino

‎09-10-2020 09:24 PM

Great explanation!

My FTDs are actually managed by FMC. Let me look at the doc and I'll probably have another question or two. I'll be looking at where to place the certs and such. Be back soon!

 

0 Helpful
Customers Also Viewed These Support Documents