06-05-2020 01:40 AM
Hi,
Is it possible to perform certificate authentication in ASA with AnyConnect together with SAML using Cisco DUO Access Gateway?
Thanks.
06-05-2020 01:56 AM
Hi,
Yes that should be possible. With the ASA, under the tunnel-group configuration you can specify "aaa" for the DUO authentication AND "certificate" for the certificate authentication. The ASA will need to trust and validate the certificate presented by the client computer.
tunnel-group RAVPN webvpn-attributes
authentication aaa certificate
HTH
06-05-2020 02:09 AM
Hi,
I already tried that but it doesn't work. Notice that selecting any other option different from "SAML" will make ASA to ignore the SAML Server configured below and use only the AAA server defined.
It should work using the DUO's Authentication Proxy as secondary AAA server, since it is a regular RADIUS server, but it has some limitations compared with the Access Gateway.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide