12-19-2011 05:20 AM - edited 02-21-2020 05:46 PM
Hi,
I'm using certificate authentication and LDAP authorization and it works fine.
Now, I want to centralize authentication and authorization on RADIUS server (Cisco ACS in my case)
In connection profile, we have 3 authentication methods:
If I choose certificate authentication methods, I can't delegate authentication and authorization to RADIUS server.
Is there a solution for delegating certificate authentication to RADIUS?
I have different authorization rules for each VPN Connection profile
Can ASA send VPN connection profile to RADIUS? (in RADIUS attribute...)
Thanks for your help,
Patrick
Solved! Go to Solution.
01-29-2013 08:30 AM
Patrick,
The key thing in deployments using WLC is that supplicant on client can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.
In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).
IOS gives you also a possibility to perform PKI authorization call:
AFAIR no similar mechanism exists on ASA.
M.
09-23-2012 03:16 AM
Hi Patrick,
I've hit the same issue and came across your post. Have you worked out a solution?
If you can't centralise it you don't have a log of all the connections. Wireless certificate authentication works over RADIUS so ideally AnyConnect should too.
Thanks, Darren
12-28-2015 07:05 AM
I have similar issue. Anyconnect vpn users can't authenticate with radius; it defaults to local. I haven't specified local nor do I want to. This is to two-factor authentication; anyconnect vpn users has certificate installed locally. Certificate installed from AD, pushed down by group policy
I tested aaa radius-server authentication and it was successful.
I have the config posted by Javier
tunnel-group AnyConnect general-attributes
authentication-server-group RADIUS
!
tunnel-group AnyConnect webvpn-attributes
authentication aaa certificate
Any ideas? Am I missing something?
Also what does the certificate-map-group command do
09-23-2012 05:27 AM
Hi Patrick,
What exactly does not work?
You can have something like this:
tunnel-group AnyConnect general-attributes
authentication-server-group RADIUS
!
tunnel-group AnyConnect webvpn-attributes
authentication aaa certificate
Doing this you will use RADIUS to authenticate your AD users and a certificate as a two-factor authentication method.
Please let me know.
Thanks.
Portu.
09-24-2012 12:23 AM
Hi,
@Darren, I contacted Cisco reseller support and there is no solution...
@Javier, If I choose certificate authentication, I cant delegate authentication to RADIUS Server. ASA checks certificate validity...
As Darren said, Cisco WLC can delegate certificate authentication to RADIUS but Cisco ASA cant.
Best regards,
Patrick
01-29-2013 08:30 AM
Patrick,
The key thing in deployments using WLC is that supplicant on client can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.
In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).
IOS gives you also a possibility to perform PKI authorization call:
AFAIR no similar mechanism exists on ASA.
M.
01-29-2013 06:55 AM
Did anyone try Portu's response?
tunnel-group AnyConnect general-attributes
authentication-server-group RADIUS
!
tunnel-group AnyConnect webvpn-attributes
authentication aaa certificate
I'm trying to do the same thing except using ISE as the radius servers.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide