Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User authentication with certificates


Following sceniario: user with certificate doing a vpn to vpn concentrator or pix. Authentication is made on ACS 3.2(2).

VPN users are using certificates for authentication.

When they connect, the certificate is asimilated with group in vpn conc. or pix. There is no user authentication. I believe should be some user authentication in ACS. Group in vpn conc. is made by the book, but i can't find any option to authenticate user certificate against ACS (second time, i whould say - first time vpn conc. check the certificate). Am i loosing something from this scenario? I need user authentication against ACS for accounting.



Re: User authentication with certificates

I'm going to make a blind stab at this as I don't fully understand your question.

Certficates are used to authenticate the VPN client (the software) more so than the user. ACS does not provide certificate authentication. The CA provides validation of the certificate.

If you would like the Pix to authenticate a username/password in addition to checking the certificate for accounting purposes, then you'll need to use this:

crypto map map-name client authentication aaa-server-name

This will make the Pix to authentication of all dynamic VPN clients against the ACS server. It won't provide true accounting though. For that, you must configure the global [aaa authentication] and [aaa accounting] on the Pix.

CreatePlease login to create content