Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
1
Replies

ASA AnyConnect Client Authentication using Certifications

feisalb
Level 1
Level 1

‎04-06-2020 09:37 AM

Hello All

Need some guidance on cert based authentication.

We have anyconnect configured in the UK that terminate on ASA's in the UK. I can see from the profile

that they use certificates to authenticate but I can't tell which one as the ASA has several certs installed.

How can I tell what cert is being used?

I need to cert based authentication for another ASA, can I use a self signed certificate from the ASA ?

How would I go about adding this certificate to the client side considering they are remotes user?

We have an internal CA, can I use that to obtain both cert for ASA and the clients or do I use a third party CA.

Note clients are in China so not sure if any implications in using a trusted third party but I understand using a third party no certs need to be installed on the client side, correct?

Will I need a FQDN for my outside ip address when using certs?

I assume I will have to install multiple certs on the clients if they connect to different ASAs (using different proifiles) as long as they have the corresponding certs installed on the terminating ASAs.

 

Thanks

FB

 

 

Labels:
Preview file
73 KB
0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎04-06-2020 10:10 AM

Hi,

 

   The certificate used by the ASA is the one configured via "ssl trust-point" command. You have the following options:

            - public certificate on both ASA and clients (pretty expensive)

            - public certificate on ASA and private certificate on clients (less expensive and recommended option)

            - private certificate on the ASA and private certificate on clients (no expensed, but less recommended as the one above).

 

Whatever option you choose, you need to fix the chain of trust: clients needs to trust the ASA's certificate and ASA needs to trust the clients certificate. If both the ASA and clients have certificates issued but he same CA, there is nothing to be done. If the ASA and clients certificates are not issued by the same CA, you need to import on the ASA the certificate chain of the CA that issued certificates to the clients, and on the clients you need to import the certificate chain of the CA that issued certificate to the ASA (if this is public, there is nothing to be done, the modern operating systems trust all legit an public CA's).

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents