cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
736
Views
0
Helpful
5
Replies
Wayne_G
Beginner

IPsec VPN with certificate auth and RADIUS

Hi,

I would like to setup certificate based VPN authentication on a Cisco router but with the auth done by a RADIUS server. I have not been able to find an example of this. I have looked at documentation on Radius with username/password and documentation on local certificate auth on the router, but not combination of the two. Is it possible?

Thanks.

5 REPLIES 5
Puneesh Chhabra
Cisco Employee

A non cisco doc though, hope it helps:

 

http://www.crossrealms.com/cisco-asa-with-radius-and-certificates-for-two-factor-authentication-using-a-microsoft-ca/

 

Regards

Puneesh

Please rate helpful posts

on Cisco router

 

https://supportforums.cisco.com/discussion/11053336/vpn-router-certificate-authentication

 

Regards

Puneesh

Please rate helpful posts

Thanks for your reply, but unfortunately those links don't quite apply to my case. The first is for asa using the gui. The second (which is what I have been working off) has one example for local certificate auth and another example for radius auth with username/password, but not radius auth with certificates.

Wayne_G
Beginner

So I have it working - sort of...

What is happening is the router is verifying the certificate, then the user is prompted for credentials which the router passes to the radius server.

But what I want is for the router to pass the client certificate to the radius server, and not require username/password.

I suppose it is similar to how a wireless device would do certificate auth. Is it possible with VPN?

Wayne_G
Beginner

I don't think it's possible currently, can only do certificate auth on the router and then pass the Xauth off to a radius server. 

So I ended up forwarding on the client IPsec requests to another server to handle the certificate authentication, but left the L2L ipsec tunnels on the router. This was achieved using a static nat of UDP500/4500 with route-map and reversible options.

Content for Community-Ad