Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
30
Helpful
10
Replies

Anyconnect SSL RA VPN Dual Authentication

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎01-30-2021 07:32 AM - edited ‎01-30-2021 07:34 AM

Hi Experts

We've  ASA Anyconnect Remote access SSL Dual Authentication managed through the Radius server- ISE. 

When they connect, client will be validating the identity cert of the firewall (Server Authentication) and in return firewall validates the client user/machine certs (Client Authentication)

Once validated, they'll be entering their credentials, they'll be hitting the Default WebVPN tunnel group. And, firewall will pass their credentials to the Radius Server ISE which will push the Group-policy based on AD groups configured.

1. Is it understanding is correct or am i missing something in the traffic flow ?

2. If yes, how do we know if ASA is looking for the User cert or the Machine cert on the end-users?

 

Please assist.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-30-2021 07:43 AM

Hi @Srinivasan Nagarajan 

They'll hit the tunnel group specified either via the group URL or from the drop-down list. RADIUS can push the group policy settings if configured, it's not a requirement.

 

You can modify the AnyConnect XML profile, to either check user, machine or all certificate store. Default is "all".

vpn editor.PNG

Or you can edit the XML profile manually by changing the following values:-

 

<CertificateStore>All</CertificateStore>

<CertificateStore>User</CertificateStore>

<CertificateStore>Machine</CertificateStore>

 

HTH

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎01-30-2021 07:43 AM

Hi @Srinivasan Nagarajan 

They'll hit the tunnel group specified either via the group URL or from the drop-down list. RADIUS can push the group policy settings if configured, it's not a requirement.

 

You can modify the AnyConnect XML profile, to either check user, machine or all certificate store. Default is "all".

vpn editor.PNG

Or you can edit the XML profile manually by changing the following values:-

 

<CertificateStore>All</CertificateStore>

<CertificateStore>User</CertificateStore>

<CertificateStore>Machine</CertificateStore>

 

HTH

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-30-2021 07:53 AM - edited ‎01-30-2021 07:57 AM

Hi @Rob Ingram,

Thanks for the reply. Can you please assist on the below 

If we do client authentication, do we need to add the Root CA of the User/Machine cert into the trusted certs on the firewall and change the tunnel-group authentication to certificate or certificate & password, as required.

1. Is it correct or any other config is required?

2. If managed thro' Radius server, under the Tunnel-group on ASA firewall if we configure username-from-certificate as the CN, will the firewall pass it to the ISE or ISE will look for the username based on AD?

And, typically, browsers will be loaded with the public CA cert to validate the identity of the URL for any HTTPS traffic. (server authentication).

3.So, when connecting to  SSL RA VPN, which browser does the Anyconnect will look into to verify the Trusted CA certs list of public PKI?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-30-2021 08:01 AM

Yes, the ASA must have the root certificate used by the clients for authentication to succeed.

Yes the username will be passed to ISE, which can be used to perform authorization.

If you are using AnyConnect then the web browser certificate store won't be in use, the computers' certificate store (user/machine) will be used.

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-30-2021 08:08 AM

Hi @Rob Ingram 

Thanks for the assistance. 

With regards to the Root CA certs (server Authentication), Anyconnect will look for the computers certificate store (user/machine).  Where does the Anyconnect will look into when validating the identity cert of the firewall (Public PKI)?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-30-2021 08:13 AM

The client will check the "Trusted Root Certificate Authorities" in the local computer store.

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-30-2021 08:10 AM

2. If yes, how do we know if ASA is looking for the User cert or the Machine cert on the end-users?

-You have the ability to perform certificate matching which you can configure in your AnyConnect xml profile that will tell AnyConnect to automatically match/map to a user/comp certificate.  Then in your connection profile (tunnel-group) you can extract something such as the UserPrincipalName (UPN) from the identity cert of the client that then gets passed to ISE for authorization and mapping against AD.

This is a pretty good overview tutorial that may help:SSL VPN Certificate-Based Authentication with AnyConnect

For the certificate matching configuration in the XML profile see the 'Certificate Matching' Section below Preferences part1/2.  HTH!

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Mike.Cifelli

‎01-30-2021 08:17 AM - edited ‎01-30-2021 08:24 AM

Hi @Mike.Cifelli @Rob Ingram 

Thanks for the assistance, so far. Final one on this thread. Please assist

 

I've just noticed the Backup Server and Server List on the Anyconnect XML profile. 

1. what is the purpose of these?

2. Which one is used for the Backup/Secondary firewall VPN connection, if the primary goes down?

3. And how will the users be routed to the secondary firewall? Is it done automatically or how it works?

4.If Cert UPN is used for the username validation against the ISE AuthZ policies, when users enter the username/Password, what it does? Just a credential validation against the Identity Store sequence on ISE?

 

Cheers,

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-30-2021 08:23 AM - edited ‎01-30-2021 08:24 AM

No they are different.

 

Server List > Backup Servers, is a backup for that server list entry only. You can have multiple server lists, with unique primary and backup servers.

Backups Servers is global for all server lists.

 

When the primary fails, anyconnect will check the list and attempt to make a connection to the address on the backup list.

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-30-2021 08:35 AM

4.If Cert UPN is used for the username validation against the ISE AuthZ policies, when users enter the username/Password, what it does? Just a credential validation against the Identity Store sequence on ISE?

-In that scenario inside your tunnel-group configuration you would configure it to certificate only, and under authorization tab under advanced you would configure the extraction of the unique field you wish to use to map/authorize the client/user via ISE/AD.  Essentially in this scenario the user when connecting would not get prompted for username/pass.  Good luck & HTH!

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Mike.Cifelli

‎01-30-2021 08:44 AM

Hi @Mike.Cifelli 

Thanks for the reply mate. Yeah, you're right when we configured authentication certificate

 

But Under Tunnel-group, We've configured authentication aaa certificate. If the username is extracted from the Cert and forwarded to ISE for the AuthZ policies and AD group validation, when users enter the username/Password, what it does? Just a credential validation against the Identity Store sequence on ISE?

 

0 Helpful
Customers Also Viewed These Support Documents