Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2292
Views
0
Helpful
6
Replies

Configuring CRL on Firepower FTD 6.6 for Certificate Based Authentication (VPN)

Go to solution
INFOTECH.jw
Level 1
Level 1

‎10-21-2020 07:14 AM

Hello,

on an FPR-1010 device (Version FTD 6.6.1), simply managed by FDM, I configured an Anyconnect VPN remote access with certificate based authentication. Cisco support team told me, the only way to configure CRL checking for revoced certificates is the usage of FMC. On FDM or CDO it would not be possible to configure CRL checking.

 

It's a setup for a small customer and so I don't want to install an FMC appliance or VM.

 

In the past this scenario worked fine on a Cisco ASA5505, but now it's a step back.

 

Does anyone have an idea for realizing single click VPN dial in experience including the possibility to prevent dial in for stolen mobile devices?

There is an existing on premise MS domain controller. Perhaps I can use RADIUS authentication against it's NPS service?

 

Thanks for all helpful suggestions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎10-22-2020 01:16 AM

As of now, the certificate revocation check feature is not supported on the FDM. However, it will be supported on version 6.7.x which should be released by the end of this month/early Nov.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎10-21-2020 02:34 PM

Hi @INFOTECH.jw 

What do you mean by single click? Do you want the user to transparently login to the VPN without entering credentials?

 

You can certainly configure radius or ldap authentication, to combine certificate and username/password. That would mitigate the risk from having a stolen laptop.

0 Helpful

Go to solution
INFOTECH.jw
Level 1
Level 1
In response to Rob Ingram

‎10-21-2020 10:35 PM

Right, Rob Ingram.

The user should not type in username/password.

There are various other security measures; the organizational requirement is to avoid entering login data for VPN.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-22-2020 01:16 AM

As of now, the certificate revocation check feature is not supported on the FDM. However, it will be supported on version 6.7.x which should be released by the end of this month/early Nov.

0 Helpful

Go to solution
INFOTECH.jw
Level 1
Level 1
In response to Aref Alsouqi

‎10-22-2020 01:53 AM

Hello Aref, these are good news. Until then I can wait.

Thanks for the answer.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to INFOTECH.jw

‎10-22-2020 02:02 AM - edited ‎10-22-2020 02:03 AM

You welcome. The only thing I would recommend in these cases is not to go straight with version 6.7.0 for any production environment since it might have bugs etc. If you don't want to wait till Cisco suggests 6.7.x as the gold release, then I would wait at least for the 6.7.1. On the other side, I should say that I have tested and still testing FMC/FTD version 6.7.0 and did not see any issue till now so far.

0 Helpful

Go to solution
murarisharma4437
Level 1
Level 1

‎07-23-2021 11:25 AM

I have added the CRL URL link in the FMC (Ver 6.6.4) But after adding the CRL url link FMC GUI login page not coming but I m able to login through CLI. Pls suggest how to remove CRL url link from the FMC CLI.

0 Helpful
Customers Also Viewed These Support Documents