cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
119
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA AnyConnect Client Authentication using Certifications

Hello All

Need some guidance on cert based authentication.

We have anyconnect configured in the UK that terminate on ASA's in the UK. I can see from the profile

that they use certificates to authenticate but I can't tell which one as the ASA has several certs installed.

How can I tell what cert is being used?

I need to cert based authentication for another ASA, can I use a self signed certificate from the ASA ?

How would I go about adding this certificate to the client side considering they are remotes user?

We have an internal CA, can I use that to obtain both cert for ASA and the clients or do I use a third party CA.

Note clients are in China so not sure if any implications in using a trusted third party but I understand using a third party no certs need to be installed on the client side, correct?

Will I need a FQDN for my outside ip address when using certs?

I assume I will have to install multiple certs on the clients if they connect to different ASAs (using different proifiles) as long as they have the corresponding certs installed on the terminating ASAs.

 

Thanks

FB

 

 

1 REPLY 1
Highlighted
Collaborator

Re: ASA AnyConnect Client Authentication using Certifications

Hi,

 

   The certificate used by the ASA is the one configured via "ssl trust-point" command. You have the following options:

            - public certificate on both ASA and clients (pretty expensive)

            - public certificate on ASA and private certificate on clients (less expensive and recommended option)

            - private certificate on the ASA and private certificate on clients (no expensed, but less recommended as the one above).

 

Whatever option you choose, you need to fix the chain of trust: clients needs to trust the ASA's certificate and ASA needs to trust the clients certificate. If both the ASA and clients have certificates issued but he same CA, there is nothing to be done. If the ASA and clients certificates are not issued by the same CA, you need to import on the ASA the certificate chain of the CA that issued certificates to the clients, and on the clients you need to import the certificate chain of the CA that issued certificate to the ASA (if this is public, there is nothing to be done, the modern operating systems trust all legit an public CA's).

 

Regards,

Cristian Matei.