Solved: Cisco ASA AnyConnect SSL VPN - certificates + token?

Alexander Vasilev · ‎10-25-2015

Hello,

i'm searching for an answer is it possible such configuration:

Cisco AnyConnect SSL VPN service with two factor authentication - first method to be certificate from local Microsoft CA and second method - One time password from token solution Symantec VIP?

I know if the two factor authentication was user/password from Active Directory + OTP by the Symantec VIP there will be no problem, because you can send user+pass with Radius, but with the certificates I don't really understand who will verify the certificate validity, what from the certificate we'll send to the RADIUS server for validation and how the configuration from the ASA point of view will look like.

Thank you for the help!

rvarelac · ‎10-26-2015

Hi Alex ,

I don't see a problem to have certificate + token to connect to the VPN. The certificate authentication should be performed on the ASA , see an example below:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

The token authentication can be specified as primary/secondary (SDI authentication) on the ASA , an example below:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

Hope it helps

-Randy-

View solution in original post

rvarelac · ‎10-26-2015