cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
841
Views
0
Helpful
1
Replies
Highlighted

Cisco ASA AnyConnect SSL VPN - certificates + token?

Hello,

i'm searching for an answer is it possible such configuration:

Cisco AnyConnect SSL VPN service with two factor authentication - first method to be certificate from local Microsoft CA and second method - One time password from token solution Symantec VIP?

I know if the two factor authentication was user/password from Active Directory + OTP by the Symantec VIP there will be no problem, because you can send user+pass with Radius, but with the certificates I don't really understand who will verify the certificate validity, what from the certificate we'll send to the RADIUS server for validation and how the configuration from the ASA point of view will look like.

Thank you for the help!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Hi Alex , 

 

I don't see a problem to have certificate + token to connect to the VPN. The certificate authentication should be performed on the ASA , see an example below:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

 

The token authentication can be specified as primary/secondary (SDI authentication) on the ASA , an example below:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

 

Hope it helps

-Randy-

View solution in original post

1 REPLY 1
Highlighted
Rising star

Hi Alex , 

 

I don't see a problem to have certificate + token to connect to the VPN. The certificate authentication should be performed on the ASA , see an example below:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

 

The token authentication can be specified as primary/secondary (SDI authentication) on the ASA , an example below:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

 

Hope it helps

-Randy-

View solution in original post

Content for Community-Ad