cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
276
Views
0
Helpful
3
Replies
ABaker94985
Beginner

Is it possible to user computer certificates with AnyConnect when SAML and MFA is already configured?

We have an ASA running 9.8(4) that has been successfully authenticating users against SAML with MFA. The problem we're trying to fix is that personal computers can be connected to our network using AnyConnect when the users enter their credentials, so we want to prevent that. We do have an enterprise CA, and the computers already have certificates, so we'd like not only the users to authenticate the way they have been but also add on computer authentication. When I look at the computer profiles, there doesn't seem to be the ability to use computer certificates once SAML is chosen. Am I wrong? Are there any other ways to accomplish this? Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Josue Brenes
Cisco Employee

It is not possible.

When using SAML as authentication method, no other method(cert authentication, radius or ldap authentication) can be also used.

There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.

You can check this: https://community.cisco.com/t5/vpn/asa-anyconnect-vpn-with-saml-and-certificate-authentication/m-p/4061350#M271571

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

3 REPLIES 3
ABaker94985
Beginner

I just ran across this reddit post (https://www.reddit.com/r/Cisco/comments/gh4cyg/asa_anyconnect_dap_how_do_i_assign_different_acls/) where someone posted using a conditional access policy to allow only managed devices to connect. That may be a configuration change only needed within Azure, but I'm not sure about this. Here is the quote:

 

"Not sure if this is an option or in scope for you, but we’re doing SAML with AnyConnect and using Azure AD as our IDp. We then apply a conditional access policy to the Azure AD VPN “app.” This basically only allows managed devices and a group membership."

Josue Brenes
Cisco Employee

It is not possible.

When using SAML as authentication method, no other method(cert authentication, radius or ldap authentication) can be also used.

There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.

You can check this: https://community.cisco.com/t5/vpn/asa-anyconnect-vpn-with-saml-and-certificate-authentication/m-p/4061350#M271571

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

Thank you.