AnyConnect without prompting for credentials

dbgreekas · ‎01-17-2011

Is certificate authentication the only mode where AnyConnect can be setup under windows to connect without prompting them for credentials?

I don't currently have User Certificates begin issued via PKI but I do have machine certificates.. I can check those however that would given network access to anyone with local admin on the laptop, and that is trivial to achieve.

User certificates would meet my objective for not prompting the user every time they connect, are their any other authentication modes / methods I could use?

Marcin Latosiewicz · ‎01-17-2011

David,

Well there's certificate store overrside for certificates if you want to override setting on latest ACL.

The current autentication schema is simple - certificate/PKI and/or AAA.

What you might want to look into is solution that rely on PKI - like smart cards, so require a user to have a smart card with them but in the end that behaves more or less like personal cert - but is not tied to a particular machine, does not require multiple enrollments for same user.

Hope this helps,

Marcin

dbgreekas · ‎01-17-2011

So other than personal certs / tokens there is no way to authenticate without prompting is what you are saying.

Marcin Latosiewicz · ‎01-17-2011

David,

I believe all current authentication mechanism rely on something one has and/or something one knows.

If one does not know and/or does not have - one should not be allowed in.

One should present what one knows and/or has when prompted for it.

The process of sharing or presenting can be automated (certificates with automatic cert selection or similar...) or not (user being prompted to provide password, let's say that username can be pre-filled from certificate).

Smart cards are quite seemless for this reason, one needs to only insert card into reader and launch app - no additional prompts if properly configured.

You can bypass authentication completely and to authorization with RADIUS and common password, but I don't believe anyone is using that (not even sure anyconnect would allow it - never tried it).

What's the end goal? What would you like to see happen and what was your idea to making sure there wouldn't be anyone spoofing identities?

Marcin

editted some major typos.

dbgreekas · ‎01-17-2011

Something like passing the current windows logged in credentials on to the VPN, instead of prompting again using something like NTLM authentication.

Other than when using prelogin authentication (must be a wired connection in most cases) the user has already logged in when AnyConnect has started..

Clearly using PKI with a card/token/ user cert would work but has its own costs and infrastructure.

Marcin Latosiewicz · ‎01-17-2011

David,

Situation you describe would require that a user is already logged into domain and passes something uniqe to ASA... most likely in form of session ID or whatnot (I don't believe it would be "secure" for windows to send password/hashes outside of system) The ASA would need to talk AD, which it doesn't (LDAP, Kerberos, NTLM only), so it would come at it's own flexibility cost too.

I don't know of (not to say that it doesn't exist) of a mechanism capable to make anyconnect work like this.

Regarding SBL, well it would anyway require two logons, first to ASA then to machine/domain.

I don't think we support/plan anything else than is already documented:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac06authenticate.html

Marcin