×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

[Cisco AnyConnect] Certificate authentication on RADIUS

Answered Question
Dec 19th, 2011
User Badges:

Hi,


I'm using certificate authentication and LDAP authorization and it works fine.


Now, I want to centralize authentication and authorization on RADIUS server (Cisco ACS in my case)


In connection profile, we have 3 authentication methods:

  • AAA: I can choose RADIUS or LDAP server group --> User is prompted for credentials user/password
  • Certificate: I can't choose AAA Server Group... --> User must provide certificate
  • Both: I can choose RADIUS or LDAP --> User is prompted for credentials user/password and user must provide certificate


If I choose certificate authentication methods, I can't delegate authentication and authorization to RADIUS server.


Is there a solution for delegating certificate authentication to RADIUS?


I have different authorization rules for each VPN Connection profile

Can ASA send VPN connection profile to RADIUS? (in RADIUS attribute...)



Thanks for your help,


Patrick

Correct Answer by Marcin Latosiewicz about 4 years 6 months ago

Patrick,


The key thing in deployments using WLC is that supplicant on client  can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.


In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).


IOS gives you also a possibility to perform PKI authorization call:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-rev-cert.html


AFAIR no similar mechanism exists on ASA.


M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
dmh Sun, 09/23/2012 - 03:16
User Badges:

Hi Patrick,


I've hit the same issue and came across your post. Have you worked out a solution?


If you can't centralise it you don't have a log of all the connections. Wireless certificate authentication works over RADIUS so ideally AnyConnect should too.


Thanks, Darren

l-mathews Mon, 12/28/2015 - 07:05
User Badges:

I have similar issue.  Anyconnect vpn users can't authenticate with radius; it defaults to local. I haven't specified local nor do I want to. This is to two-factor authentication; anyconnect vpn users has certificate installed locally. Certificate installed from AD, pushed down by group policy

I tested aaa radius-server authentication and it was successful.

I have the config posted by Javier

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

Any ideas? Am I missing something?

Also what does the certificate-map-group command do

Javier Portuguez Sun, 09/23/2012 - 05:27
User Badges:
  • Red, 2250 points or more

Hi Patrick,


What exactly does not work?


You can have something like this:


tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate


Doing this you will use RADIUS to authenticate your AD users and a certificate as a two-factor authentication method.


Please let me know.


Thanks.


Portu.

Patrick Tran Mon, 09/24/2012 - 00:23
User Badges:

Hi,


@Darren, I contacted Cisco reseller support and there is no solution...


@Javier, If I choose certificate authentication, I cant delegate authentication to RADIUS Server. ASA checks certificate validity...


As Darren said, Cisco WLC can delegate certificate authentication to RADIUS but Cisco ASA cant.


Best regards,


Patrick

Correct Answer
Marcin Latosiewicz Tue, 01/29/2013 - 08:30
User Badges:
  • Cisco Employee,

Patrick,


The key thing in deployments using WLC is that supplicant on client  can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.


In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).


IOS gives you also a possibility to perform PKI authorization call:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-rev-cert.html


AFAIR no similar mechanism exists on ASA.


M.

srue Tue, 01/29/2013 - 06:55
User Badges:
  • Blue, 1500 points or more

Did anyone try Portu's response?

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate


I'm trying to do the same thing except using ISE as the radius servers.


Thanks.

Actions

This Discussion