Thank you,

But the reference you gave, which leads to Cisco documentation, talk about an outside CA server

Does it have to be like that? Can't I use the asa as the CA Server?

Maybe it's there and I've missed it/didn't get it, my apologies if so,

If someone can please point it out more specifically I would appreciate it

The ASA can be a CA-server, but keep in mind that it won't work if you are running Failover. So, also if you are not using failover at the moment, I would use a company-PKI which is on the inside of network.

If you decide not to go with certificates but with a secondary authentication, I would suggest to look into DuoSecurity (http://www.duosecurity.com) or YubiKeys (http://www.yubico.com).

I'm not using a failover asa, and im not planning to use one either.

So please if someone can explain me how can I configure the asa as the ca-server, create a certificate per VPN user

Export the certificates to the clients, and the whole process

It would be a great deal of help.

a very good how-to can be found on the blog from IPExpert:

http://blog.ipexpert.com/2010/07/28/asa-local-ca-server/

Thank you Karsten

I followed the manual

it was excellent, made me understand just how it works, but Im still left in a puzzle

basically from what I've figured out, it's a general Certificate which I've created

any local user on the asa, can login through it

and what I want, is that each user will have his own unique certificate

in the example you generate a user named ipxuser. This user gets his certificate and you would repeat that for every vpn-user in your organization.

Hi

You basically need to have your users go to https://hostname/+CSCOCA+/enroll.html, enter the correct credentials / OTP and the ASA will provide them with an ID certificate.

Then you could use a group-url to map your users to the correct profile (optional, you could use a group-alias) and use the "authentication aaa certificate" under the webvpn attributes of the specific profile to authenticate the incoming session with certs and AAA credentials (2-factor authentication).

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

Certificate mapping to AnyConnect tunnel-group I.

http://itsecworks.wordpress.com/2011/07/15/certificate-mapping-to-anyconnect-tunnel-group/

Let me know if you have any questions.

Please rate any post that you find helpful.

Im using Cisco VPN Client

Can you please explain me how it's getting done for that?

Thank you.

I agree with Karsten (5 stars).

For the Legacy VPN client, you must use an external CA server.

Please check this out:

ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

Let us know.

Thank you for bringing that into my attention Karsten

And sure is something that I would discuss about in my company and check that possibility to purchase Anyconnect Licenses,

But I would need another option like that one I was looking for

So for that matter,

Let's assume I have an outside enterprise CA

How then, can I bind the certificate created there, to a specific user on the asa to login via Cisco VPN?

**Edit

Sorry, didnt see your reply, i'll check it and get back at you guys

thanks again for all of the help