cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5619
Views
5
Helpful
6
Replies
Patrick Tran
Beginner

[Cisco AnyConnect] Certificate authentication on RADIUS

Hi,

I'm using certificate authentication and LDAP authorization and it works fine.

Now, I want to centralize authentication and authorization on RADIUS server (Cisco ACS in my case)

In connection profile, we have 3 authentication methods:

  • AAA: I can choose RADIUS or LDAP server group --> User is prompted for credentials user/password
  • Certificate: I can't choose AAA Server Group... --> User must provide certificate
  • Both: I can choose RADIUS or LDAP --> User is prompted for credentials user/password and user must provide certificate

If I choose certificate authentication methods, I can't delegate authentication and authorization to RADIUS server.

Is there a solution for delegating certificate authentication to RADIUS?

I have different authorization rules for each VPN Connection profile

Can ASA send VPN connection profile to RADIUS? (in RADIUS attribute...)

Thanks for your help,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions

Patrick,

The key thing in deployments using WLC is that supplicant on client  can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.

In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).

IOS gives you also a possibility to perform PKI authorization call:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-rev-cert.html

AFAIR no similar mechanism exists on ASA.

M.

View solution in original post

6 REPLIES 6
dmh
Contributor
Contributor

Hi Patrick,

I've hit the same issue and came across your post. Have you worked out a solution?

If you can't centralise it you don't have a log of all the connections. Wireless certificate authentication works over RADIUS so ideally AnyConnect should too.

Thanks, Darren

I have similar issue.  Anyconnect vpn users can't authenticate with radius; it defaults to local. I haven't specified local nor do I want to. This is to two-factor authentication; anyconnect vpn users has certificate installed locally. Certificate installed from AD, pushed down by group policy

I tested aaa radius-server authentication and it was successful.

I have the config posted by Javier

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

Any ideas? Am I missing something?

Also what does the certificate-map-group command do

Hi Patrick,

What exactly does not work?

You can have something like this:

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

Doing this you will use RADIUS to authenticate your AD users and a certificate as a two-factor authentication method.

Please let me know.

Thanks.

Portu.

Hi,

@Darren, I contacted Cisco reseller support and there is no solution...

@Javier, If I choose certificate authentication, I cant delegate authentication to RADIUS Server. ASA checks certificate validity...

As Darren said, Cisco WLC can delegate certificate authentication to RADIUS but Cisco ASA cant.

Best regards,

Patrick

Patrick,

The key thing in deployments using WLC is that supplicant on client  can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.

In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).

IOS gives you also a possibility to perform PKI authorization call:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-rev-cert.html

AFAIR no similar mechanism exists on ASA.

M.

View solution in original post

srue
Rising star

Did anyone try Portu's response?

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

I'm trying to do the same thing except using ISE as the radius servers.

Thanks.

Content for Community-Ad