User authentication with certificates

8dstaicu · ‎02-05-2004

Hi,

Following sceniario: user with certificate doing a vpn to vpn concentrator or pix. Authentication is made on ACS 3.2(2).

VPN users are using certificates for authentication.

When they connect, the certificate is asimilated with group in vpn conc. or pix. There is no user authentication. I believe should be some user authentication in ACS. Group in vpn conc. is made by the book, but i can't find any option to authenticate user certificate against ACS (second time, i whould say - first time vpn conc. check the certificate). Am i loosing something from this scenario? I need user authentication against ACS for accounting.

10x

shannong · ‎02-08-2004

I'm going to make a blind stab at this as I don't fully understand your question.

Certficates are used to authenticate the VPN client (the software) more so than the user. ACS does not provide certificate authentication. The CA provides validation of the certificate.

If you would like the Pix to authenticate a username/password in addition to checking the certificate for accounting purposes, then you'll need to use this:

crypto map map-name client authentication aaa-server-name

This will make the Pix to authentication of all dynamic VPN clients against the ACS server. It won't provide true accounting though. For that, you must configure the global [aaa authentication] and [aaa accounting] on the Pix.