Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4434
Views
15
Helpful
4
Replies

ASA anyconnect vpn with SAML and certificate authentication

Go to solution
xbill42
Level 1
Level 1

‎04-07-2020 10:19 AM

Hi,

 

Does someone know if ASA supports client certificate authentication + SAML with anyconnect ?

As I understand the certificate is verified on the ASA, then I need a second factor auth with a SAML connection to a 2FA provider.

 

note : I also have ISE for authorization only and posture (I use authorize-only mode). But maybe the SAML can be integrated here ? But not sure, because ASA talks with ISE in radius and not https.

 

Best regards

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎04-07-2020 09:10 PM - edited ‎04-07-2020 09:15 PM

Hi xbill42,

That is correct.

While using SAML for the authentication, there is no other method like Certificarte authentication or AAA(Radius,LDAP) that can be used in conjunction with it.

There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.

 

AnyConnect 4.7.04056 New Features

This is a maintenance release that includes the following features and enhancements, and that resolves the defects described in AnyConnect 4.7.04056:

  • (Windows Only) SAML + Client Certificate—Within AnyConnect SAML flow, we added support for Client Certificate requests within the AnyConnect embedded browser

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

4 Replies 4

Go to solution
xbill42
Level 1
Level 1

‎04-07-2020 11:19 AM

Hi,

 

regarding the ASA I think I have the response in the docs :

  • This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together

Best regards

0 Helpful

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎04-07-2020 09:10 PM - edited ‎04-07-2020 09:15 PM

Hi xbill42,

That is correct.

While using SAML for the authentication, there is no other method like Certificarte authentication or AAA(Radius,LDAP) that can be used in conjunction with it.

There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.

 

AnyConnect 4.7.04056 New Features

This is a maintenance release that includes the following features and enhancements, and that resolves the defects described in AnyConnect 4.7.04056:

  • (Windows Only) SAML + Client Certificate—Within AnyConnect SAML flow, we added support for Client Certificate requests within the AnyConnect embedded browser

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

Go to solution
steiostb1
Level 1
Level 1
In response to Josue Brenes

‎09-16-2022 04:47 AM

So to set up SAML + Client Certificate authentication you need to set authentication method to SAML on the ASA/Firepower? I guess you can use Azure to validate the Client Certificate? Is there any guide available for this?

0 Helpful

Go to solution
elparis
Cisco Employee
Cisco Employee

‎02-01-2023 04:47 PM

Starting with ASA 9.18 and Firepower 7.2, SAML + certificate authentication is supported.

0 Helpful
Customers Also Viewed These Support Documents