AnyConnect and Certificate auth

raymng · ‎05-21-2012

Hi,

I would like to better understand conceptually how does "AnyConnect with Certificate authentication" work.

I have been doing AnyConnect with external radius server authentication, but never try certificate auth.

My perception is that we would generate individual (user or machine) certificates(??) from our Microsoft CA server to our laptop users. We would also issue an identity certificate(??) to the ASA.

When remote user tries to establish AnyConnect VPN, it presents its certificate to the ASA and at the same time validate the Identify certificate (??) presented by ASA to AnyConnect client, right?

And when the ASA see the client certificate, it would check if the client certificate 's issuer is trusted and the cert is not expried, and then it would accept the VPN connection? Or, would the ASA check with another server (e.g. MS CA server) to validate the client certficate and if the certicate is valid and not revoked?

Also, what is the different between Authentication with "certificate only" vs. "both" (i.e. radius + certificate)?

Thanks in advance.

Julio Carvajal · ‎05-21-2012

Hello,

The ASA will check the client Certificate based on the signature on that identity certificate from t the public key he has from the CA server..

I would say Radius + certificate would be an additional authentication step as the Radius server would be the one who decides if the certificate is valid ( He will need to have its own certificate)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

gaigl · ‎05-21-2012

Hello,

I'm currently doing the same Authentication and it's no big Problem:

the Users have an eToken with a User-Cert, from this Cert the Username is presented to the ASA, the ASA connects via RADIUS->ACS5.3-LDAP the Domain-Controller and the User must enter the Domain-Password. So the User gets only connected with a valid Cert and the Domain-Credentials.

1. you need on the ASA the Root-Cert of your CA (Remote-Access -> Certificate Management -> CA Certificate)

2. You need an Identity Certificate (Remote Access -> CertMgmt- Identity Certificate)

3. look this Path:

Remote Access VPN > Advanced > Certificate to AnyConnect and Clientless SSL VPN Connection Profile Maps

4. In the Client-Profile

Remote Access VPN > Network (Client) Access > AnyConnect Client Profile is the Cert-Store to Configure

Finally you have to configure AAA

hope I could help you

Karl

bugmn9900 · ‎07-12-2012

Glad to see this post. We're attempting to set up certificate based authentication for certain iPad VPN clients for the purpose of enabling the AnyConnect connect-on-demand feature.

I do have a further question. The only documentation I seem to be able to find are related to getting the identity cert set up on the ASA, which I've already got in place. I can't find anything explaining how to get the client certs in place and how to have the ASA use them. We'd be using Microsoft as our CA. Could anyone point me in the right direction? Anything pertaining to storing certs on the iPad would be especially helpful. Thanks!

raymng · ‎07-12-2012

I am the original poster. We made some good progress with help from Cisco TAC.

As to your question, do you actually mean installing MS CA root cert onto the ASA so ASA can authenticate the client cert presented by remote user machine? If so, this is what the Cisco TAC instruct us to read (and it works):

--- BEGIN QUOTE ---

Please refer below link. Search for "Obtaining Certificates Manually" .

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1051587

To import the Root CA cert, you just have to do step 1 and 2 mentioned in the above link .

Before doing Step 1 and step 2, you have to create a trustpoint like below .

crypto ca trustpoint RootCA

enrollment terminal

---- END QUOTE ---

If you truely mean "client cert" at remote users, I don't have answer on this yet although we are also working on this direction. For Windows machines, we plan to use MS Group Policy to push the client cert to all the users. The things we haven't figured out how to do is for the MAC machines and the iPad devices. We are talking to external vendor (e.g. MobileIron) and see if we can use their solution to push client cert to the iPad devices.

bugmn9900 · ‎07-13-2012

Ok. That's helpful.

So as long as the ASA trusts the CA and the cert is valid, authentication will pass (if it's certificate-only auth)?

In addition to MobileIron, are there any other solutions/vendors doing this? I don't work with the client side much, so I'd just be making recommendations to out client guys for this portion.

Thanks!

Javier Portuguez · ‎07-13-2012

Hi,

In order to configure two factor authentication you need:

1- The VPN clients enrolled with the proper CA.

2- The ASA needs to have a valid CA certficate from the same CA the clients got the certificate from.

3- Configure Radius / LDAP.

4- Define both authentication methods (AAA and certificate) under the tunnel-group-settings.

5- In addition, a certificate-map to make sure the ASA maps the session to the correct connection profile.

There are some other additional details, like LDAP attribute-mapping or Radius authorization (usually used with attribute 25).

Even DAP rules in conjunction to CSD and prelogin policies...

I hope you find this information helpful.

bugmn9900 · ‎07-17-2012

Thanks! This gives me a good picture of what needs to be in place.

Javier Portuguez · ‎07-17-2012

Hi,

I am glad to hear that.

Hope you have a nice day.

* Please rate any post you find helpful.