ASA AnyConnect Client Authentication using Certifications
Need some guidance on cert based authentication.
We have anyconnect configured in the UK that terminate on ASA's in the UK. I can see from the profile
that they use certificates to authenticate but I can't tell which one as the ASA has several certs installed.
How can I tell what cert is being used?
I need to cert based authentication for another ASA, can I use a self signed certificate from the ASA ?
How would I go about adding this certificate to the client side considering they are remotes user?
We have an internal CA, can I use that to obtain both cert for ASA and the clients or do I use a third party CA.
Note clients are in China so not sure if any implications in using a trusted third party but I understand using a third party no certs need to be installed on the client side, correct?
Will I need a FQDN for my outside ip address when using certs?
I assume I will have to install multiple certs on the clients if they connect to different ASAs (using different proifiles) as long as they have the corresponding certs installed on the terminating ASAs.
Re: ASA AnyConnect Client Authentication using Certifications
The certificate used by the ASA is the one configured via "ssl trust-point" command. You have the following options:
- public certificate on both ASA and clients (pretty expensive)
- public certificate on ASA and private certificate on clients (less expensive and recommended option)
- private certificate on the ASA and private certificate on clients (no expensed, but less recommended as the one above).
Whatever option you choose, you need to fix the chain of trust: clients needs to trust the ASA's certificate and ASA needs to trust the clients certificate. If both the ASA and clients have certificates issued but he same CA, there is nothing to be done. If the ASA and clients certificates are not issued by the same CA, you need to import on the ASA the certificate chain of the CA that issued certificates to the clients, and on the clients you need to import the certificate chain of the CA that issued certificate to the ASA (if this is public, there is nothing to be done, the modern operating systems trust all legit an public CA's).
HIDoes anyone know if there is an easier way than the belowQ. I check connection events for IOC's when requested and sometimes i have to check many url's which i am presently doing one url at a time and is very time consuming, is there a way to check mult...
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM vendor integration to help the customers to look for compliance of a dev...
This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.
This is live on the portal:https://video.cisco.com/video/6159336218001
And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?