Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4521
Views
5
Helpful
4
Replies

Can we run AnyConnect using self signed certificates?

Go to solution
jimmyc_2
Level 1
Level 1

‎09-09-2014 01:57 PM - edited ‎02-21-2020 07:49 PM

I have a lab that I want to build a laptop-to-ASA remote access tunnel, using AnyConnect.  

 

I understand AnyConnect requires IKEV2, and certificates.  

It does not allow for pre-shared passwords, like VPN-client.  

 

Is there a way I can build the lab without getting a certificate?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jimmyc_2

‎09-11-2014 01:26 PM

Practically speaking you can accomplish just about everything with SSL VPN (AnyConnect client) that you could with IPSec VPN (legacy IPsec or 3rd party client).

You get the advantage of modern OS support (i.e. Windows 8 etc.) and the ability to add a lot of other features (with AnyConnect Premium licensing) and integrate other modules such as NAM and Cloud Web Security etc..

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jimmyc_2
Level 1
Level 1

‎09-09-2014 02:06 PM

To follow up, has anyone used OpenSSL to build a certificate and use it on Anyconnect/ASA?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jimmyc_2

‎09-09-2014 03:39 PM

AnyConnect does not require certificates if you use SSL VPN (vs. IKEv2 IPsec VPN). On an SSL VPN you can use local authentication on the ASA or external authentication to AD, LDAP, RADIUS, etc. (in addition to or instead of certificates).

If you want to use IKEv2 and certificate authentication you can use either the ASA itself the CA server or proxy (via SCEP) to an internal CA (e.g. a Windows servers with Certificate Services). There are some other possible methods (such as the way you asked about) but in my experience they are not commonly used as few users have the knowledge or desire to go that route. Most organizations using client certificates deploy them from an internal root CA.

Go to solution
jimmyc_2
Level 1
Level 1
In response to Marvin Rhoads

‎09-11-2014 07:28 AM

Thank you Marvin,

Several years ago, the IPSec method was deemed more secure than SSL.

 From a practical perspective, is using AnyConnect with SSL more or less the equivalent of IPSec?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jimmyc_2

‎09-11-2014 01:26 PM

Practically speaking you can accomplish just about everything with SSL VPN (AnyConnect client) that you could with IPSec VPN (legacy IPsec or 3rd party client).

You get the advantage of modern OS support (i.e. Windows 8 etc.) and the ability to add a lot of other features (with AnyConnect Premium licensing) and integrate other modules such as NAM and Cloud Web Security etc..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents