I'm using certificate authentication and LDAP authorization and it works fine.
Now, I want to centralize authentication and authorization on RADIUS server (Cisco ACS in my case)
In connection profile, we have 3 authentication methods:
- AAA: I can choose RADIUS or LDAP server group --> User is prompted for credentials user/password
- Certificate: I can't choose AAA Server Group... --> User must provide certificate
- Both: I can choose RADIUS or LDAP --> User is prompted for credentials user/password and user must provide certificate
If I choose certificate authentication methods, I can't delegate authentication and authorization to RADIUS server.
Is there a solution for delegating certificate authentication to RADIUS?
I have different authorization rules for each VPN Connection profile
Can ASA send VPN connection profile to RADIUS? (in RADIUS attribute...)
Thanks for your help,
The key thing in deployments using WLC is that supplicant on client can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.
In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).
IOS gives you also a possibility to perform PKI authorization call:
AFAIR no similar mechanism exists on ASA.