Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
0
Helpful
5
Replies

Authenticate Anyconnect users using both machine + user cert?

snyggsomfan
Level 1
Level 1

‎09-18-2011 10:24 AM - edited ‎02-21-2020 05:35 PM

Hi Everybody,

Is it possible to authenticate Anyconnect users using both machine cert AND personal user cert (smart card) at the same time? Not machine cert OR personal cert. Thanks in advance!

/K

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-19-2011 02:35 AM

Patrik,

I do not belive this to be the case. SSL only asks once for client to present authentication certificate during a session.

Marcin

0 Helpful

snyggsomfan
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-19-2011 02:28 PM

OK, that's what I suspected. Would be nice if it was possible though...

/K

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to snyggsomfan

‎09-20-2011 04:56 AM

Patrik,

I guess it might be just a question of multiplexing sessions.

But for us to be on the same page, this is not really the most secure scenario (as well as certificate only authentication).

Typically we say that a proper authentication is based on something you have (certificate,smart card, token etc) and something you know (username/passord). Although the two mix (two factor authentication for exampel), it's still bast to have this separation.

Marcin

0 Helpful

Christopher Bell
Level 4
Level 4

‎09-20-2011 05:44 AM

We do something similar - machine cert for the Anyconnect/SBL connection, then the user must authenticate to the laptop using cached domain credentials.  Something they have (the machine cert) and something they know (username/password).  These are separate authentications however.  One is the VPN, the other is technically to the domain.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

snyggsomfan
Level 1
Level 1
In response to Christopher Bell

‎09-27-2011 06:26 AM

I'm with you guys on the security issue - that you shouldn't use only certificate based authentication. But in this case - in order for the user to access his/hers user cert on the smart card a PIN-code must be entered. So authentication would be performed on something the user has (machine cert) and on something the user know (PIN-code to access the user cert on the smart card).

Is authentication still not possible using machine + user cert at the same time?

/K

0 Helpful
Customers Also Viewed These Support Documents