cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3060
Views
0
Helpful
10
Replies
Highlighted
Beginner

Two factor authentication cisco anyconnect using certificates

I am planning to setup two factor authentication, and planning to buy the certificate from thawte, but need help to choose which certificate do i need to buy. Can i buy a code signing ssl certificate, and use it for two-factor authentication? if not what should I buy and what's the procedure?

Regards

NH

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi NH,

Hi NH,

I see that you wish to do two factor authentication for the clients connecting to your Headend using AAA + Certificates.

I also see that you are looking to get the certificate signed from Thawte.

>>In two factor authentication in your scenario, the client while connecting will have to present the username/password along with a client certificate to complete the authentication.

>>You can get the client certificate signed from any Public Certificate Authority(CA).

>>The Certificate having the Extender key usage attribute value as Client Authentication can only be used by the client during client certificate authentication.

>>If the Extended Key Usage does not have "Client Authentication" as one of its value then this certificate can not be used for client cert authentication.

>>Now once you get the client certificate and have it installed on the workstation and present to the Headend during authentication may again fail the Certificate validation by the Headend as it is required that the Headend Device should have the Root Certificate of your Client Certificate installed under its Certificate Authority(CA) store.

Regards,

Mrutunjay Sethi

 

View solution in original post

10 REPLIES 10
Highlighted
Advisor

As the certificate only goes

As the certificate only goes on the ASA, I believe you just need a plain vanilla web site certificate.

Highlighted
Beginner

Thanks a lot guys for your

Thanks a lot guys for your help, i am having a weird situation here, the cetificate is SHA256 signed but there is no SHA256 algorithm on SSL settings on ASDM. I am running ASA ver 9.1 

Any ideas?

Highlighted
Advisor

The SHA256 algorithm on the

The SHA256 algorithm on the certificate is to verify is has not been altered.  There is nothing to configure on the ASA side.

Highlighted
Beginner

Hi philip

Hi philip

I didnt quite really understand the answer, what do you mean by verify?

Thanks

Highlighted
Advisor

How does anyone know if the

How does anyone know if the certificate has been tampered with, and it is actually a fake?  You take a cryptographic hash, like SHA256.  So every time a system processes the certificate it creates a new hash and makes sure it matches the one stored with the certificate - or verifies the certificate is authentic.

Highlighted
Beginner

Best to include the flag: id

Best to include the flag: id-kp-serverAuth to identify it as a web server, and make sure the clients have the issuer name of the head-end cert in their trusted CAs

Highlighted
Beginner

Also go for SHA-2 certificate

Also go for SHA-2 certificate, since Windows will end SHA-1 support completely by Jan 2017.

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx 

Highlighted
Advisor

You can't buy a certificate

You can't buy a certificate from any major provider (that I know of at least) without SHA-2 on it now.

Highlighted
Cisco Employee

Hi NH,

Hi NH,

I see that you wish to do two factor authentication for the clients connecting to your Headend using AAA + Certificates.

I also see that you are looking to get the certificate signed from Thawte.

>>In two factor authentication in your scenario, the client while connecting will have to present the username/password along with a client certificate to complete the authentication.

>>You can get the client certificate signed from any Public Certificate Authority(CA).

>>The Certificate having the Extender key usage attribute value as Client Authentication can only be used by the client during client certificate authentication.

>>If the Extended Key Usage does not have "Client Authentication" as one of its value then this certificate can not be used for client cert authentication.

>>Now once you get the client certificate and have it installed on the workstation and present to the Headend during authentication may again fail the Certificate validation by the Headend as it is required that the Headend Device should have the Root Certificate of your Client Certificate installed under its Certificate Authority(CA) store.

Regards,

Mrutunjay Sethi

 

View solution in original post

Highlighted

Can we do this with ASA 5510

Can we do this with ASA 5510 /ver 9.1. I believe with SHA 2 its kind of hard. The 5510 ASA will import a SHA-2 certificate but it won't be able to perform the decryption operations required to perform certificate based authentication. Any suggestion ?