cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
318
Views
10
Helpful
5
Replies
Highlighted
Beginner

Anyconnect with mutiple certs

How do you handle having vendors/3rd parties? We have a working AnyConnect setup with our internal CA. We don't want to issues vendors certs from our internal system, how would I handle certs for these connections?

5 REPLIES 5
Highlighted
Cisco Employee

Hi there! Just to confirm: You are looking to provide remote-access VPN to contractors/vendors but you don't want them to have a certificate issued from your certificate authority? If yes, then you can:

1. Issue them a laptop from your organization that is properly locked down with all of your standard security controls. That way, they can connect to your network only with a trusted device that you can control. 

2. You could also create a different tunnel-group that is only to be used with contractors. The authentication can be configured to be based on username/password from your AD or locally configured on the ASA. That way, once a contractor is done, you would only have to disable the account in AD. In addition, you can configure this tunnel group to do some security checks like "Is an A/V installed and is it up to date, is the Firewall turned on, etc:

I hope this helps!

Thank you for rating helpful posts!

Highlighted

Thanks Neno -  was under the impression that certs were required for AnyConnect authentication  - is that not correct ?

Highlighted

OK, let me expand a bit more. Certificates with AnyConnect VPN can play two different functions:

1. A certificate is needed for SSL based VPNs. AnyConnect VPN is an SSL VPN so it will fall under the same category. The certificate is essentially used to encrypt the connection by creating a secure tunnel. Once the tunnel is up credentials can be passed through it securely. The certificate here can be issued by either the ASA directly (self-signed), issued by an internal CA (Sounds like this is what you are doing) or signed by a public/well-known CA (GoDaddy, VeriSighn, etc). What really matters here is that the remote user/machine trying to establish the VPN trusts the CA that issued that certificate. Thus, it is best practice to use a certificate from a well known/public CA. That way any users/machines (internal or external) will trust the certificate and will never get the "untrusted certificate/site) error when trying to establish the VPN. If you are using a certificate from your internal CA then you have two options:

1. Replace that certificate with one from a well-known/public CA. This won't be free but not expensive either. GoDaddy would be a valid and very low cost solution

2. If #1 is not an option then you have two sub-options:

2.1. The contractors/vendors will have to accept/trust the untrusted connection. This is not ideal and not secure but it is an option. 

2.2. You can export the root CA certificate from your CA and have the contractors import that in their trusted root certificate stores. This is not a security issue for you as you are simply making your CA be trusted by another party.

2. Optionally, the authentication (credentials) can also be certificate based. That way, the user does not have to type a username/password but simply present a valid certificate from a certificate authority that the VPN device trusts. The certificates in this case can be issued by an internal or an external CA. Again, the main thing to remember here is that the ASA must trust the CA that issued those certificates. 

I hope this cleared things up!

Thank you for rating helpful posts!

Highlighted

2.2. You can export the root CA certificate from your CA and have the contractors import that in their trusted root certificate stores. This is not a security issue for you as you are simply making your CA be trusted by another party.

This is where I'm having the issue. I was hoping to use another 3rd party CA as it was assumed this would be a security issue if we exported from our internal root. I'm wondering if I can find definitive documentation on how this is not a risk

Highlighted

I am by no means an expert on certificates/CAs/PKI so please take my answer with a grain of salt :) Also, this sort of question might be best asked on a Microsoft/Symantec/etc type forum. 

However, AFIK, there is not security issues with exporting the root CA's certificate as long as you are NOT exporting and distributing the private key. If you look at your trusted certificate store on your computer you will see tons of root and intermediate CA certificates from different vendors such as GoDaddy, VeriSign, etc. Thus, I doubt such large CAs would put themselves in a bad position and exposing themselves to security issues. The idea here is that you trust those CAs for certificates that they have issued/signed. 

I hope this helps!

Thank you for rating helpful posts!

Content for Community-Ad