auraza Tue, 10/06/2009 - 06:02
User Badges:
  • Cisco Employee,

The ASA supports kerberos authentication, which the VPN client authenticates against. VPN client does support Certificate authentication.


PS. If you found this response helpful, please rate it.


commarmi001 Tue, 10/06/2009 - 06:46
User Badges:

if my knowledge of Kerberos are correct,is the VPN client that has to do authenticacion against the KDC. Acording the documentation is posible with login/password but not indicate if is posible with Certificates. Kerberos certificate authentication uses "special" method that is explained in rfc4556.

auraza Tue, 10/06/2009 - 06:55
User Badges:
  • Cisco Employee,

The VPN client will get an Auth Request from the ASA, which is what will talk do Kerberos authentication on behalf of the client. The VPN client itself doesn't have the ability to do that as it does not communicate directly with the Kerberos server.

commarmi001 Thu, 10/08/2009 - 06:27
User Badges:

Sorry, but i don't understand. How do ASA to use private key (in the client) to negotiate with KDC ?

Please, can you explain me who adquire the TGT and how ?

auraza Thu, 10/08/2009 - 10:20
User Badges:
  • Cisco Employee,

You can't have the client do that. Only the ASA.

Actions

This Discussion