06-16-2021 07:52 AM
We have an ASA running 9.8(4) that has been successfully authenticating users against SAML with MFA. The problem we're trying to fix is that personal computers can be connected to our network using AnyConnect when the users enter their credentials, so we want to prevent that. We do have an enterprise CA, and the computers already have certificates, so we'd like not only the users to authenticate the way they have been but also add on computer authentication. When I look at the computer profiles, there doesn't seem to be the ability to use computer certificates once SAML is chosen. Am I wrong? Are there any other ways to accomplish this? Thanks
Solved! Go to Solution.
06-17-2021 03:58 PM - edited 06-17-2021 03:59 PM
It is not possible.
When using SAML as authentication method, no other method(cert authentication, radius or ldap authentication) can be also used.
There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.
You can check this: https://community.cisco.com/t5/vpn/asa-anyconnect-vpn-with-saml-and-certificate-authentication/m-p/4061350#M271571
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
06-16-2021 08:16 AM
I just ran across this reddit post (https://www.reddit.com/r/Cisco/comments/gh4cyg/asa_anyconnect_dap_how_do_i_assign_different_acls/) where someone posted using a conditional access policy to allow only managed devices to connect. That may be a configuration change only needed within Azure, but I'm not sure about this. Here is the quote:
"Not sure if this is an option or in scope for you, but we’re doing SAML with AnyConnect and using Azure AD as our IDp. We then apply a conditional access policy to the Azure AD VPN “app.” This basically only allows managed devices and a group membership."
06-17-2021 03:58 PM - edited 06-17-2021 03:59 PM
It is not possible.
When using SAML as authentication method, no other method(cert authentication, radius or ldap authentication) can be also used.
There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.
You can check this: https://community.cisco.com/t5/vpn/asa-anyconnect-vpn-with-saml-and-certificate-authentication/m-p/4061350#M271571
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
06-17-2021 04:09 PM
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide