Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4582
Views
5
Helpful
3
Replies

VPN Authentication utilizing AnyConnect, ASA with Certificates & RSA authentication

Go to solution
jason.erbe
Level 1
Level 1

‎11-03-2016 01:49 PM

Hello,

I had a couple of questions I was hoping some in the Community could help me answer.

I'm setting up a new deployment which consists of the following:

  • Critical Applications & Services
    • Cisco ISE 2.1
    • Cisco ASA 5525, v9.5
    • AnyConnect Mobility Client v4.2
    • RSA SecurID Server - don't remember the version, but it is fairly updated
  • Need:  Remote VPN session (AnyConnect 4.x) client

o   Wants to build 2 policies

        • SBL – validation with certificate installed, limited access to network
        • Full – UserPASS (RSA token exchange); MachinePASS (certificate exchange)

I know that within Cisco ASA, I can setup an AnyConnect VPN profile to perform both a Certificate as well as a RADIUS based authentication.  Basically the ASA would query and validate the Certificate, and then forward a RADIUS request for User authentication - in this case to the Cisco ISE, which then is associated with the 3rd party RSA server.

What I was trying to do was to have the Cisco ISE support both certificate & RSA authentication, but feedback I've received so far seems to indicate such is not possible at this time.  Such would be possible with EAP-Chaining, but EAP-Chaining is only possible for WIRED/WIRELESS deployments and not with VPN deployments (AnyConnect NAM isn't supported for VPN it appears).

My questions come down to the following:

1) Are Certificate & User-based authentications as described above planned in the near future to be possible on the ISE for VPN authentications?

2) Is EAP-Chaining ever planned to be available for VPN connections?

3) Does anyone have a good reference, website or suggestion where I can look and review regarding Best Practice configurations for Cisco ASA, AnyConnect VPN with 2-factor authentications?

Thanks for your help.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎11-07-2016 12:11 PM

Hello,

And just to add.   Since Certificate authentication is being used to establish a vpn session the ASA needs to validate  the user cert i.e., have the root CA installed .  You could essentially do what we loosely refer to triple auth  where you configure 'Both' on the tunnel-group Cert + AAA method which in your case could be the native SDI integration the ASA offers

"SDI has two main advantages over RADIUS. The first is that the whole session is encrypted. The second is the interesting options that the SDI agent provides: it is able to determine if the failure is created because authentication or authorization failed or because the user was not found."

RSA Token Server and SDI Protocol Usage for ASA and ACS  - Cisco

In terms of the AnyConnect/ASA/ISE integration you could then do secondary authentication for Radius so ISE for CoA/Posture even though technically its triple.   Or you could do Radius Authorization

https://communities.cisco.com/docs/DOC-68158

Best regards,

Paul

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-07-2016 11:04 AM

Your (1) and (2) are roadmap questions, which we are not at liberty to discuss in a public community. Please use your channel resources to reach out to our product management team.

I am moving this to the space for anyconnect, which has a front page with a list of resources for your references for (3).

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-07-2016 12:04 PM

Please see the ISE Design & Integration Guides (http://cs.co/ise-guides) for our many integration guides including Cisco AnyConnect and Cisco Adaptive Security Appliance (ASA)

For two-factor authentication, see the ISE Administrator Guide for RSA Identity Sources. We use RSA SecurID as the example but it's all the same for any RADIUS RFC 2865-compliant token server.

0 Helpful

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎11-07-2016 12:11 PM

Hello,

And just to add.   Since Certificate authentication is being used to establish a vpn session the ASA needs to validate  the user cert i.e., have the root CA installed .  You could essentially do what we loosely refer to triple auth  where you configure 'Both' on the tunnel-group Cert + AAA method which in your case could be the native SDI integration the ASA offers

"SDI has two main advantages over RADIUS. The first is that the whole session is encrypted. The second is the interesting options that the SDI agent provides: it is able to determine if the failure is created because authentication or authorization failed or because the user was not found."

RSA Token Server and SDI Protocol Usage for ASA and ACS  - Cisco

In terms of the AnyConnect/ASA/ISE integration you could then do secondary authentication for Radius so ISE for CoA/Posture even though technically its triple.   Or you could do Radius Authorization

https://communities.cisco.com/docs/DOC-68158

Best regards,

Paul

0 Helpful
Customers Also Viewed These Support Documents