Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
3
Replies

Is it possible to user computer certificates with AnyConnect when SAML and MFA is already configured?

Go to solution
ABaker94985
Spotlight
Spotlight

‎06-16-2021 07:52 AM

We have an ASA running 9.8(4) that has been successfully authenticating users against SAML with MFA. The problem we're trying to fix is that personal computers can be connected to our network using AnyConnect when the users enter their credentials, so we want to prevent that. We do have an enterprise CA, and the computers already have certificates, so we'd like not only the users to authenticate the way they have been but also add on computer authentication. When I look at the computer profiles, there doesn't seem to be the ability to use computer certificates once SAML is chosen. Am I wrong? Are there any other ways to accomplish this? Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎06-17-2021 03:58 PM - edited ‎06-17-2021 03:59 PM

It is not possible.

When using SAML as authentication method, no other method(cert authentication, radius or ldap authentication) can be also used.

There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.

You can check this: https://community.cisco.com/t5/vpn/asa-anyconnect-vpn-with-saml-and-certificate-authentication/m-p/4061350#M271571

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ABaker94985
Spotlight
Spotlight

‎06-16-2021 08:16 AM

I just ran across this reddit post (https://www.reddit.com/r/Cisco/comments/gh4cyg/asa_anyconnect_dap_how_do_i_assign_different_acls/) where someone posted using a conditional access policy to allow only managed devices to connect. That may be a configuration change only needed within Azure, but I'm not sure about this. Here is the quote:

 

"Not sure if this is an option or in scope for you, but we’re doing SAML with AnyConnect and using Azure AD as our IDp. We then apply a conditional access policy to the Azure AD VPN “app.” This basically only allows managed devices and a group membership."

0 Helpful

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎06-17-2021 03:58 PM - edited ‎06-17-2021 03:59 PM

It is not possible.

When using SAML as authentication method, no other method(cert authentication, radius or ldap authentication) can be also used.

There is one Certificate authentication that can take place but it will be between the SAML IdP and the Client PC, the ASA will not be part of this.

You can check this: https://community.cisco.com/t5/vpn/asa-anyconnect-vpn-with-saml-and-certificate-authentication/m-p/4061350#M271571

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight
In response to Josue Brenes

‎06-17-2021 04:09 PM

Thank you.

0 Helpful
Customers Also Viewed These Support Documents