Automatic AAA Authentication

iruleatants · ‎03-26-2013

We have a Cisco ASA 5500 series, and we are currently in the process of moving away from a Cisco VPN Client setup to a Cisco Anyconnect setup. During this process we want to make it so User Authentication is automatic and painless (the mobile team loves to complain). If we use certificate based authentication this works perfectly, but rolling out certificates to 200+ users is not idea.

We want to use SCEP to do this then, but before we can make an SCEP request, we need to authenticate using AAA. This is not something that we want to do, as asking them to put in a password, even once, would upset them. Is there any way to provide automatic authenticaton through AAA? (They will signed in through a domain account when connecting). I would love if anyone has any solutions for this.

Marcin Latosiewicz · ‎03-27-2013

John,

The requirement of not putting the password even once, I would consider it a security risk.

If it does allow normal user not to do it, it COULD allow a malicious user same access.

Anyconnect does allow certain level of credential caching, but it's not the smartest option if you ask me.

I would suggest checking ASA's SCEP proxy or legacy SCEP enrollment features, where you COULD perform initial enrollment by doing username/password auth and have all subsequent connections done via cert auth.

M.