Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2444
Views
10
Helpful
5
Replies

Anyconnect with Microsoft CA user authentication

BVC
Level 1
Level 1

‎09-10-2020 02:10 AM

In the current Anyconnect setup I have users authenticate with an AD account and a user certificate. This certificate is generated by the local CA on the ASA. I want to apply failover into the ASA setup but that won't work with the local CA configured. So I'm researching into using the CA server function on Microsoft Server 2019 OS. 

 

I wondering if it's possible for the Microsoft CA server to dish out user certificates that require a OTP to download, and how I can implement this into the ASA so it will point certificate authentication to the server when users try to log into anyconnect when using their AD credentials.   

 

Any help will be greatly appreciated. 

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎09-10-2020 02:16 AM

Hi,

Normally you pre-deploy the user certificates from AD using a GPO, so the client would have the certificate ready for authentication to the VPN.

 

The only option I am aware of on the ASA is to use SCEP. Essentially you'd have 1 tunnel-group to enroll for a certificate, then another tunnel-group to connect to once the certificate has been enrolled. This guide is old but still applicable.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111850-scep-00.html


HTH

BVC
Level 1
Level 1
In response to Rob Ingram

‎09-10-2020 04:20 AM

The guide you've linked, from my understanding is this only for certificate authentication, not certification and AD credentials authentication?

 

As you create two profiles, one for enrolling while the other is for authentication, the authentication profile uses the certificate only when users are logging into anyconnect, so this means no credentials like AD username or password are not used?

0 Helpful

Rob Ingram
VIP
VIP
In response to BVC

‎09-10-2020 04:51 AM

In that example the first tunnel-group is used to download the certificate, for the second tunnel-group, as you now have a certificate it's up to you which method(s) you use, i.e. aaa + certificate. The link was just to demonstrate SCEP enrollment.

 

This link below is better and provides more detail in configuring a SCEP Proxy, which actually uses the ASA to proxy the SCEP request to the CA instead of the client fetching the certificate themselves.

http://www.labminutes.com/sec0134_ssl_vpn_anyconnect_secure_mobility_scep_proxy_1

 

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎09-10-2020 02:28 AM

@BVC 

 

I've used a couple of times SCEP to enroll users with certificates on the Microsoft side, you can make you deployment easy and in a controlled manner, specially if you have more locations which you will need those certificates for eg. SSL decryption, VPN, Web Apps, etc.

 

You can get the SCEP into auto-enrollment, or accept manualy each cert request, might be a good choice for environments heavy compliance regulated.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

BVC
Level 1
Level 1
In response to Ruben Cocheno

‎09-10-2020 03:55 AM

@Ruben Cocheno 

 

What is the difference between auto-enrolment and manual? Are you referring to when users first install the user certificate? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents