04-27-2022 08:42 AM
I have a new requirement of having Certificates as another factor of authentication in addition to RADIUS. My ASA is running 9.14 so using a Local CA is no longer an option after 9.13 and the environment is isolated so no ASDM.
Does anyone know what options I would have? I've been poking around the documentation to find out if I can either:
1. Generate certs on the ASA and give to the users (not sure how to do it without ASA being Local CA)
2. Generate ad-hoc certs with the CN as the username and upload to the ASA to attach to the user
I've never had to do certificates for Anyconnect before and in this specific instance each user (8 people) will need their own individual cert.
Anyone have any ideas or documentation to point me in the right direction?
Solved! Go to Solution.
04-27-2022 09:13 AM
@mazevedo1 as you cannot use the ASA as a CA any longer, you would have to use Windows CA or OpenSSL to issue certificates to the user or computer. The ASA would to trust the certificate presented by the client for authentication.
Here is an example of OpenSSL CA for authentication and import certficate to a windows computer.
https://integratingit.wordpress.com/2019/01/14/openssl-ca-for-vpn-authentication/
Here is an example of how to install a certificate on the ASA.
04-27-2022 09:13 AM
@mazevedo1 as you cannot use the ASA as a CA any longer, you would have to use Windows CA or OpenSSL to issue certificates to the user or computer. The ASA would to trust the certificate presented by the client for authentication.
Here is an example of OpenSSL CA for authentication and import certficate to a windows computer.
https://integratingit.wordpress.com/2019/01/14/openssl-ca-for-vpn-authentication/
Here is an example of how to install a certificate on the ASA.
04-27-2022 09:55 AM
Thank you for your resposne Rob! This is exactly what I was looking for!
Just a quick question, with this solution how do I map the certificate to the username coming in from RADIUS?
I want to make sure it's not one shared cert and each user has certs linked directly to their username.
04-27-2022 10:03 AM
@mazevedo1 certificate authentication is between the client and the ASA, not RADIUS.
As you are doing 2FA (certificate + AAA) then when you authenticate using AAA it's the user's normal username/password that is authenticated against RADIUS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide