Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
5
Replies

IPsec VPN with certificate auth and RADIUS

Wayne_G
Level 1
Level 1

‎08-16-2015 04:49 PM - edited ‎02-21-2020 08:24 PM

Hi,

I would like to setup certificate based VPN authentication on a Cisco router but with the auth done by a RADIUS server. I have not been able to find an example of this. I have looked at documentation on Radius with username/password and documentation on local certificate auth on the router, but not combination of the two. Is it possible?

Thanks.

Labels:
0 Helpful
5 Replies 5

Puneesh Chhabra
Cisco Employee
Cisco Employee

‎08-16-2015 06:50 PM

A non cisco doc though, hope it helps:

 

http://www.crossrealms.com/cisco-asa-with-radius-and-certificates-for-two-factor-authentication-using-a-microsoft-ca/

 

Regards

Puneesh

Please rate helpful posts

0 Helpful

Puneesh Chhabra
Cisco Employee
Cisco Employee
In response to Puneesh Chhabra

‎08-16-2015 06:52 PM

on Cisco router

 

https://supportforums.cisco.com/discussion/11053336/vpn-router-certificate-authentication

 

Regards

Puneesh

Please rate helpful posts

0 Helpful

Wayne_G
Level 1
Level 1
In response to Puneesh Chhabra

‎08-16-2015 07:02 PM

Thanks for your reply, but unfortunately those links don't quite apply to my case. The first is for asa using the gui. The second (which is what I have been working off) has one example for local certificate auth and another example for radius auth with username/password, but not radius auth with certificates.

0 Helpful

Wayne_G
Level 1
Level 1

‎08-17-2015 03:50 PM

So I have it working - sort of...

What is happening is the router is verifying the certificate, then the user is prompted for credentials which the router passes to the radius server.

But what I want is for the router to pass the client certificate to the radius server, and not require username/password.

I suppose it is similar to how a wireless device would do certificate auth. Is it possible with VPN?

0 Helpful

Wayne_G
Level 1
Level 1

‎08-20-2015 04:57 PM

I don't think it's possible currently, can only do certificate auth on the router and then pass the Xauth off to a radius server. 

So I ended up forwarding on the client IPsec requests to another server to handle the certificate authentication, but left the L2L ipsec tunnels on the router. This was achieved using a static nat of UDP500/4500 with route-map and reversible options.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents