In the current Anyconnect setup I have users authenticate with an AD account and a user certificate. This certificate is generated by the local CA on the ASA. I want to apply failover into the ASA setup but that won't work with the local CA configured. So I'm researching into using the CA server function on Microsoft Server 2019 OS.
I wondering if it's possible for the Microsoft CA server to dish out user certificates that require a OTP to download, and how I can implement this into the ASA so it will point certificate authentication to the server when users try to log into anyconnect when using their AD credentials.
Any help will be greatly appreciated.
Normally you pre-deploy the user certificates from AD using a GPO, so the client would have the certificate ready for authentication to the VPN.
The only option I am aware of on the ASA is to use SCEP. Essentially you'd have 1 tunnel-group to enroll for a certificate, then another tunnel-group to connect to once the certificate has been enrolled. This guide is old but still applicable.
The guide you've linked, from my understanding is this only for certificate authentication, not certification and AD credentials authentication?
As you create two profiles, one for enrolling while the other is for authentication, the authentication profile uses the certificate only when users are logging into anyconnect, so this means no credentials like AD username or password are not used?
In that example the first tunnel-group is used to download the certificate, for the second tunnel-group, as you now have a certificate it's up to you which method(s) you use, i.e. aaa + certificate. The link was just to demonstrate SCEP enrollment.
This link below is better and provides more detail in configuring a SCEP Proxy, which actually uses the ASA to proxy the SCEP request to the CA instead of the client fetching the certificate themselves.
I've used a couple of times SCEP to enroll users with certificates on the Microsoft side, you can make you deployment easy and in a controlled manner, specially if you have more locations which you will need those certificates for eg. SSL decryption, VPN, Web Apps, etc.
You can get the SCEP into auto-enrollment, or accept manualy each cert request, might be a good choice for environments heavy compliance regulated.