We have old VPN3000 concentrators that service PPTP, L2TP/IPSec and Cisco VPN Client connections from our users. For the L2TP/IPSec and Cisco VPN Client users, we use preshared keys for initial authentication, then have users provide a username and password for the next authentication phase. We are looking at migrating to the ASA platform, which of course does not support PPTP, but we want to maintain L2TP/IPSec and Cisco VPN Client options as well as add AnyConnect capability.
What we would like to do is replace the preshared key authentication that we used with the VPN3000s with machine certificate authentication. We do not want to have to generate user certificates, rather it was our understanding that the ASA certificate would be used to authenticate the ASA to the connecting client, the client would have to import the certificate and set up the VPN clients to trust it, and then still have the users present a username and password for the next authentication phase.
The available documentation, for example http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml , only references situations where the users have to request a user certificate from a CA, which is not something we want to do.
Is what I describe possible? Or do we just not have a clear understanding on how the whole process works?
Thanks in advance!