Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
1
Replies

FTD - AnyConnect Certificate & SAML Authentication

kylerossd
Level 4
Level 4

‎05-13-2021 09:04 PM

Hello,

Documentation seems to be light here.  Is it possible to do double authentication using a signed certificate and SAML?  The goal would be to authenticate to the ASA with cert, perform SAML auth to the 2FA and authorize the certificate on Cisco ISE.  There is no saml group per se so I don't believe I can use the "secondary-authentication-server-group" command. 

TLDR: can I use authentication saml certificate command?

 

aaa-server ISE protocol radius

authorize-only

interim-accounting-update periodic 1

dynamic-authorization

aaa-server ISE (outside) host aa.bb.cc.dd

key *****

tunnel-group CERT-DUO type remote-access

tunnel-group CERT-DUO general-attributes

address-pool pool

authorization-server-group ISE

accounting-server-group ISE

tunnel-group CERT-DUO webvpn-attributes

authentication saml certificate

saml identity-provider https://explorer.cisco.com/dag/saml2/idp/metadata.php

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2021 08:11 AM

I don't think this is supported. I based that on the config guide which tells us:

The authentication options are AAA only, certificate only, multiple-certificate only, AAA and certificate, AAA and multiple-certificate, and SAML.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-groups.html

0 Helpful
Customers Also Viewed These Support Documents