Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1093
Views
5
Helpful
3
Replies

ASA User Certificates with RADIUS

Go to solution
mazevedo1
Level 1
Level 1

‎04-27-2022 08:42 AM

I have a new requirement of having Certificates as another factor of authentication in addition to RADIUS. My ASA is running 9.14 so using a Local CA is no longer an option after 9.13 and the environment is isolated so no ASDM.

 

Does anyone know what options I would have? I've been poking around the documentation to find out if I can either:

1. Generate certs on the ASA and give to the users (not sure how to do it without ASA being Local CA)

2. Generate ad-hoc certs with the CN as the username and upload to the ASA to attach to the user

 

I've never had to do certificates for Anyconnect before and in this specific instance each user (8 people) will need their own individual cert.

 

Anyone have any ideas or documentation to point me in the right direction?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-27-2022 09:13 AM

@mazevedo1 as you cannot use the ASA as a CA any longer, you would have to use Windows CA or OpenSSL to issue certificates to the user or computer. The ASA would to trust the certificate presented by the client for authentication.

 

Here is an example of OpenSSL CA for authentication and import certficate to a windows computer.

https://integratingit.wordpress.com/2019/01/14/openssl-ca-for-vpn-authentication/

Here is an example of how to install a certificate on the ASA.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎04-27-2022 09:13 AM

@mazevedo1 as you cannot use the ASA as a CA any longer, you would have to use Windows CA or OpenSSL to issue certificates to the user or computer. The ASA would to trust the certificate presented by the client for authentication.

 

Here is an example of OpenSSL CA for authentication and import certficate to a windows computer.

https://integratingit.wordpress.com/2019/01/14/openssl-ca-for-vpn-authentication/

Here is an example of how to install a certificate on the ASA.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

Go to solution
mazevedo1
Level 1
Level 1
In response to Rob Ingram

‎04-27-2022 09:55 AM

Thank you for your resposne Rob! This is exactly what I was looking for!

 

Just a quick question, with this solution how do I map the certificate to the username coming in from RADIUS?

 

I want to make sure it's not one shared cert and each user has certs linked directly to their username.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mazevedo1

‎04-27-2022 10:03 AM

@mazevedo1 certificate authentication is between the client and the ASA, not RADIUS.

 

As you are doing 2FA (certificate + AAA) then when you authenticate using AAA it's the user's normal username/password that is authenticated against RADIUS.

 

 

0 Helpful
Customers Also Viewed These Support Documents