Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
2
Replies

VPN Certificate Based Authentication

switched switch
Level 1
Level 1

‎03-16-2014 01:57 AM

I understand people are using their internal PKI for authentication on wired and wireless networks, but it now has me thinking about VPN authentication.

If the internal PKI has been setup for both machine and user certificates already, can we use that as part of the authentication for VPN? Is this a recomended solution? Ideally we would like to set this up with a OTP server as well, with ISE configured on the backend.

What needs to happen with certificate revocation for VPN connection?

 

Labels:
0 Helpful
2 Replies 2

switched switch
Level 1
Level 1

‎03-16-2014 02:44 AM

Also, how do we configure the ASA to allow certificate authentication to Staff with OTP, and say for remote support access to use a standard user/pass with or without OTP?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to switched switch

‎03-16-2014 07:00 AM

You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.

For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)

For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.

You might want to invest in the certifcation guide for the CCNP VPN exam: 

CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)

Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.

 

0 Helpful
Customers Also Viewed These Support Documents