Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4934
Views
0
Helpful
10
Replies

Two factor authentication cisco anyconnect using certificates

Go to solution
snahosany
Level 1
Level 1

‎01-06-2016 12:28 PM - edited ‎02-21-2020 08:36 PM

I am planning to setup two factor authentication, and planning to buy the certificate from thawte, but need help to choose which certificate do i need to buy. Can i buy a code signing ssl certificate, and use it for two-factor authentication? if not what should I buy and what's the procedure?

Regards

NH

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mrsethi
Cisco Employee
Cisco Employee

‎01-13-2016 08:37 AM

Hi NH,

I see that you wish to do two factor authentication for the clients connecting to your Headend using AAA + Certificates.

I also see that you are looking to get the certificate signed from Thawte.

>>In two factor authentication in your scenario, the client while connecting will have to present the username/password along with a client certificate to complete the authentication.

>>You can get the client certificate signed from any Public Certificate Authority(CA).

>>The Certificate having the Extender key usage attribute value as Client Authentication can only be used by the client during client certificate authentication.

>>If the Extended Key Usage does not have "Client Authentication" as one of its value then this certificate can not be used for client cert authentication.

>>Now once you get the client certificate and have it installed on the workstation and present to the Headend during authentication may again fail the Certificate validation by the Headend as it is required that the Headend Device should have the Root Certificate of your Client Certificate installed under its Certificate Authority(CA) store.

Regards,

Mrutunjay Sethi

 

View solution in original post

Preview file
26 KB
0 Helpful
10 Replies 10

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-06-2016 11:42 PM

As the certificate only goes on the ASA, I believe you just need a plain vanilla web site certificate.

0 Helpful

Go to solution
snahosany
Level 1
Level 1
In response to Philip D'Ath

‎01-18-2016 11:19 AM

Thanks a lot guys for your help, i am having a weird situation here, the cetificate is SHA256 signed but there is no SHA256 algorithm on SSL settings on ASDM. I am running ASA ver 9.1 

Any ideas?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to snahosany

‎01-18-2016 12:01 PM

The SHA256 algorithm on the certificate is to verify is has not been altered.  There is nothing to configure on the ASA side.

0 Helpful

Go to solution
snahosany
Level 1
Level 1
In response to Philip D'Ath

‎01-18-2016 12:21 PM

Hi philip

I didnt quite really understand the answer, what do you mean by verify?

Thanks

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to snahosany

‎01-18-2016 12:37 PM

How does anyone know if the certificate has been tampered with, and it is actually a fake?  You take a cryptographic hash, like SHA256.  So every time a system processes the certificate it creates a new hash and makes sure it matches the one stored with the certificate - or verifies the certificate is authentic.

0 Helpful

Go to solution
gaowen
Level 1
Level 1

‎01-07-2016 02:40 AM

Best to include the flag: id-kp-serverAuth to identify it as a web server, and make sure the clients have the issuer name of the head-end cert in their trusted CAs

0 Helpful

Go to solution
ndhingr3
Level 1
Level 1

‎01-13-2016 12:55 AM

Also go for SHA-2 certificate, since Windows will end SHA-1 support completely by Jan 2017.

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ndhingr3

‎01-13-2016 11:31 AM

You can't buy a certificate from any major provider (that I know of at least) without SHA-2 on it now.

0 Helpful

Go to solution
mrsethi
Cisco Employee
Cisco Employee

‎01-13-2016 08:37 AM

Hi NH,

I see that you wish to do two factor authentication for the clients connecting to your Headend using AAA + Certificates.

I also see that you are looking to get the certificate signed from Thawte.

>>In two factor authentication in your scenario, the client while connecting will have to present the username/password along with a client certificate to complete the authentication.

>>You can get the client certificate signed from any Public Certificate Authority(CA).

>>The Certificate having the Extender key usage attribute value as Client Authentication can only be used by the client during client certificate authentication.

>>If the Extended Key Usage does not have "Client Authentication" as one of its value then this certificate can not be used for client cert authentication.

>>Now once you get the client certificate and have it installed on the workstation and present to the Headend during authentication may again fail the Certificate validation by the Headend as it is required that the Headend Device should have the Root Certificate of your Client Certificate installed under its Certificate Authority(CA) store.

Regards,

Mrutunjay Sethi

 

Preview file
26 KB
0 Helpful

Go to solution
Samuel T Mathai
Level 1
Level 1
In response to mrsethi

‎07-07-2016 08:23 AM

Can we do this with ASA 5510 /ver 9.1. I believe with SHA 2 its kind of hard. The 5510 ASA will import a SHA-2 certificate but it won't be able to perform the decryption operations required to perform certificate based authentication. Any suggestion ? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents