04-04-2014 12:22 AM - edited 02-21-2020 07:35 PM
Hello,
basics: newest ASA/AnyConnect software and Windows Client
I wanna do the following:
(No interaction from user during connection establishing necessary.)
By default "Connection Profiles" configuration it is only possible to configure authentication methods "both" which means certificate and AAA which means username + password/passcode.
Is there a way to implement double certificate authentication as mentioned anyway?
Regards Marcus
04-04-2014 06:45 AM
You could check for secret registry keys with prelogin policy to verfy if it's company hardware.
04-04-2014 08:32 AM
On your connection profile editing window, go under "advanced". There you have the option of specifying a secondary authentication method independent of the primary method. Using that approach, you can specify certificate method for both authentications.
As noted, you could also have a prelogin policy (DAP) to check for various files (or even their hash for greater security) registry keys, etc. For instance, you could check that the machine is a domain machine (independent of the user).
04-16-2014 03:18 AM
We're having a similar problem.
We are using two factor authentication by checking computer certificate and username/password (LDAP). This works just fine for the majority of our employees.
Now we are trying to implement an exception for a few users. Those should be able to authenticate by "user certificates" (or better computer and user certificates).
DAP is not an option, due to Essentials license.
Ideas?
11-19-2014 09:27 PM
Hi,
I am trying to implement dual authentication (ldap + computer certificate) base. Currently "LDAP" authentication is perfectly fine but when I am going to implement computer certificate base authentication, so anyconnect showing some error, now it is requested to you kindly send me any URL for the reference "how to implement" or guide me.
Your kind support is required.
09-30-2014 01:20 PM
Hi Marvin,
Can you tell us what would be the parameters to check if it's a domain machine?
How can we tell anyconnect to send machine information?
Thank you!
09-30-2014 05:38 PM
You need to use Cisco Secure Desktop to scan the host and send back the registry key that identifies the domain to which the machine has been joined. An example of how to do so are in this document.
06-01-2021 03:27 PM
Hello
I see that post; but I need a more detalied to perform the configuration similar that is in the subject.
An always-on VPN with Cisco AnyConnect application
Firts -> A machine certificate to create the first connectivity with the ASA that it contains the rootCA certificate.
Second -> A user certificate with SCEP to NDES. Once the user is logged in a corporate machine; we needt that user is allowed with the Active Directory. If the certificate is in the laptop -> OK. If not, use SCEP proxy to get the certificate from the NDES.
Could you give us a clue to deploy that configuration?.
Thank you in advance.
04-07-2014 05:24 AM
I have almost same situation and need a bit help.
I have a ASA5520 and now it is possible to connect to Anyconnect using ether user/pass or machine certificat. But how do i set it up so, that it first check the mashine certificat, and if it is not pressent then it ask for user/pass ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide