cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5613
Views
0
Helpful
10
Replies

Two factor authentication cisco anyconnect using certificates

snahosany
Level 1
Level 1

I am planning to setup two factor authentication, and planning to buy the certificate from thawte, but need help to choose which certificate do i need to buy. Can i buy a code signing ssl certificate, and use it for two-factor authentication? if not what should I buy and what's the procedure?

Regards

NH

1 Accepted Solution

Accepted Solutions

mrsethi
Cisco Employee
Cisco Employee

Hi NH,

I see that you wish to do two factor authentication for the clients connecting to your Headend using AAA + Certificates.

I also see that you are looking to get the certificate signed from Thawte.

>>In two factor authentication in your scenario, the client while connecting will have to present the username/password along with a client certificate to complete the authentication.

>>You can get the client certificate signed from any Public Certificate Authority(CA).

>>The Certificate having the Extender key usage attribute value as Client Authentication can only be used by the client during client certificate authentication.

>>If the Extended Key Usage does not have "Client Authentication" as one of its value then this certificate can not be used for client cert authentication.

>>Now once you get the client certificate and have it installed on the workstation and present to the Headend during authentication may again fail the Certificate validation by the Headend as it is required that the Headend Device should have the Root Certificate of your Client Certificate installed under its Certificate Authority(CA) store.

Regards,

Mrutunjay Sethi

 

View solution in original post

10 Replies 10

Philip D'Ath
VIP Alumni
VIP Alumni

As the certificate only goes on the ASA, I believe you just need a plain vanilla web site certificate.

Thanks a lot guys for your help, i am having a weird situation here, the cetificate is SHA256 signed but there is no SHA256 algorithm on SSL settings on ASDM. I am running ASA ver 9.1 

Any ideas?

The SHA256 algorithm on the certificate is to verify is has not been altered.  There is nothing to configure on the ASA side.

Hi philip

I didnt quite really understand the answer, what do you mean by verify?

Thanks

How does anyone know if the certificate has been tampered with, and it is actually a fake?  You take a cryptographic hash, like SHA256.  So every time a system processes the certificate it creates a new hash and makes sure it matches the one stored with the certificate - or verifies the certificate is authentic.

gaowen
Level 1
Level 1

Best to include the flag: id-kp-serverAuth to identify it as a web server, and make sure the clients have the issuer name of the head-end cert in their trusted CAs

ndhingr3
Level 1
Level 1

Also go for SHA-2 certificate, since Windows will end SHA-1 support completely by Jan 2017.

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx 

You can't buy a certificate from any major provider (that I know of at least) without SHA-2 on it now.

mrsethi
Cisco Employee
Cisco Employee

Hi NH,

I see that you wish to do two factor authentication for the clients connecting to your Headend using AAA + Certificates.

I also see that you are looking to get the certificate signed from Thawte.

>>In two factor authentication in your scenario, the client while connecting will have to present the username/password along with a client certificate to complete the authentication.

>>You can get the client certificate signed from any Public Certificate Authority(CA).

>>The Certificate having the Extender key usage attribute value as Client Authentication can only be used by the client during client certificate authentication.

>>If the Extended Key Usage does not have "Client Authentication" as one of its value then this certificate can not be used for client cert authentication.

>>Now once you get the client certificate and have it installed on the workstation and present to the Headend during authentication may again fail the Certificate validation by the Headend as it is required that the Headend Device should have the Root Certificate of your Client Certificate installed under its Certificate Authority(CA) store.

Regards,

Mrutunjay Sethi

 

Can we do this with ASA 5510 /ver 9.1. I believe with SHA 2 its kind of hard. The 5510 ASA will import a SHA-2 certificate but it won't be able to perform the decryption operations required to perform certificate based authentication. Any suggestion ?