Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
1
Replies

Certificate Based Authentication + LDAP MAP

adrianoden
Level 1
Level 1

‎12-14-2010 09:04 PM

Would it be possible to perform 2 factor authentication in such a way as to require only a certificate but also verify the user is a member of a group within Active Directory?

The goal being for the user to still have to enter nothing for a username and password since anyconnect will look at the user certificate store but in the background also check the username for a permitted group within Active directory.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-14-2010 11:43 PM

Hi

yes, you can use certificate authentication with LDAP authorization and use either the LDAP MAP or DAP to apply settings based on LDAP attributes (e.g. memberOf).

You may need a feature known as "username-from-certificate" that you can use to specify which field in the certificate the ASA should consider to be the username to send to the LDAP server.

Note that this is not considered 2-factor authentication, since you only use the certificate for authentication, the LDAP lookup is doing authorization only.

If you want to do real 2-factor authentication then you can still use the username-from-certificate feature to pre-fill the username in the login screen, so the user only needs to enter his password.

hth

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents