Cisco ASA SSL VPN and Certificate Usage

Unanswered Question
May 23rd, 2011
User Badges:

I am seting up an evaluation deployment of the Cisco ASA SSL VPN.  Our intended use will be as Client (AnyConnect) Access for Employees and as Clientless Access for third parties (i.e. contractors, consultants, alumni, etc.).  Both will use username/password for Authentication.  For Employees, we want to take this one step further and check for the existance of a certificate on corporate issued hardware.  The certificate would be issued by an internal CA (and we do not currently use Revokation Lists).  I have found that I can set this up in two methods; either as a Prelogin Policy to check for the existance of the certificate, or within the Connection Profile Authentication as Both.  If I use a Prelogin Policy I understand I need to map the Failure case to an appropriate policy to account for the third party access.

What would be the benefits / disadvantages in selecting one certificate check method over another?  I'd trying to avoid being short sighted in the deployment and do not see how one method may be more or less adventageous that the other.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Mon, 05/23/2011 - 14:41
User Badges:
  • Silver, 250 points or more

The CSD pre-login check will only validate that the certificate with specified attributes exists on the client machine.  Modifying the authentication method under the connection profile will require the connecting user to present their identity to the ASA as part of the authentication process.  You can use Dynamic Access Policies (DAP) to provide more granular control over user access.  For example, an employee with matching certificate is provided with unsrestricted AnyConnect access while a vendor is provided with a clientless WebVPN portal with a single RDP bookmark.

rsculthorp Mon, 05/23/2011 - 14:57
User Badges:

I get that part and we are fine with the user having to "authenticate to the ASA" as part of the login access process.  My problem is that when I try to setup the DAP to identify users in a specific group, using Radius authentication as the attribute.  We are not using LDAP for the AAA or I would set it up using that instead.  I need to use the Radius authentication which does not seem to be working.

I have attached a screen shot of the DAP.



wpbrown417 Tue, 05/24/2011 - 10:29
User Badges:

Thanks for the information, Todd.  Your post brings up an interesting point about leveraging DAP.  As far as I am aware, DAP cannot check for the existance of a certificate itself, but if a Prelogin Policy validates that a certificate exists, I can set set the Policy Label which can then be referenced in DAP as an Endpoint attribute.  This would be a favorable nod towards using a Prelogin Policy to check for a certificate.

Would there be any compelling reason to use both AAA and certificate as the Authentication method for the Connection Profile?

Vikas Saxena Tue, 05/24/2011 - 20:43
User Badges:
  • Cisco Employee,

Since you are not using revocation, what is the safeguard if the company asset is stolen?


wpbrown417 Wed, 05/25/2011 - 04:27
User Badges:

Vikas, we would be using two-factor authentication, AAA and Certificate.  If an asset were lost or stolen we would be able to change the password or disable the AAA acount of the user.  I know it's not ideal since the Certificate would still exist on the asset, but it does help mitigate our exposure.

Vikas Saxena Wed, 05/25/2011 - 06:09
User Badges:
  • Cisco Employee,


>>Would there be any compelling reason to use both AAA and certificate as the Authentication method for the Connection Profile?

My questions/statement was actually in response to the above.

Two factor is a must, OTP preferred.

If it is a machine cert then you can also have serial number of the asset embeded in the cert CN. In case if the asset is stolen then the cert can be blocked using the cert maps and DAP.


This Discussion