07-20-2022 05:48 AM
We use a MGMT/User Tunnel with certificate authorization(own private CA) for our own users. For the management tunnel we must use ower own certificate (on the outside interface).
We would like to give external companies the opportunity to set up a vpn connection (via anyconnect). They should use username and password for authentication. They only have to start anyconnect, enter the VPN FQDN, select the right Connetion Profile, enter Username and Password. We would have to use a different certificate on the outside interface?
Is it possible to have a MGMT Tunnel and a VPN Profile for external Users?
Thanks!
Solved! Go to Solution.
07-20-2022 06:03 AM
@Sascha K. The actual external certificate presented to the user when they connect to the VPN is usually signed by a public CA and is not necessarily issued by the same CA that would authenticate the mgmt tunnel.
It sounds like they just need to authenticate using a username/password (to the user tunnel) and a publically signed certificate on the external interface is all that is required. I see no reason why an external user would need to use the mgmt tunnel, that's generally used for corporate owned assets - regardless the mgmt tunnel would require a machine certificate, which the external user's device would not have.
07-20-2022 06:03 AM
@Sascha K. The actual external certificate presented to the user when they connect to the VPN is usually signed by a public CA and is not necessarily issued by the same CA that would authenticate the mgmt tunnel.
It sounds like they just need to authenticate using a username/password (to the user tunnel) and a publically signed certificate on the external interface is all that is required. I see no reason why an external user would need to use the mgmt tunnel, that's generally used for corporate owned assets - regardless the mgmt tunnel would require a machine certificate, which the external user's device would not have.
07-20-2022 06:36 AM
if I understand you correctly:
I can configure the Cert sigend by an Public CA on the external interface. For the mgmt tunnel (with cert auth) its only mandotory to have my on CA trusted?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide