Cisco Support Community
Community Member

ASA AnyConnect double authentication with machine and user certificate


basics: newest ASA/AnyConnect software and Windows Client


I wanna do the following:

  • First Authentication with user certificate - checking for user
  • Second Authentication with machine certificate - checking for company hardware

(No interaction from user during connection establishing necessary.)


By default "Connection Profiles" configuration it is only possible to configure authentication methods "both" which means certificate and AAA which means username + password/passcode.


Is there a way to implement  double certificate authentication as mentioned anyway?

  • Maybe with help/support from DAP or SDM - Prelogin Policy.


Regards Marcus


You could check for secret

You could check for secret registry keys with prelogin policy to verfy if it's company hardware.

Michael Please rate all helpful posts
Hall of Fame Super Silver

On your connection profile

On your connection profile editing window, go under "advanced". There you have the option of specifying a secondary authentication method independent of the primary method. Using that approach, you can specify certificate method for both authentications.

As noted, you could also have a prelogin policy (DAP) to check for various files (or even their hash for greater security) registry keys, etc. For instance, you could check that  the machine is a domain machine (independent of the user).

Community Member

We're having a similar

We're having a similar problem.

We are using two factor authentication by checking computer certificate and username/password (LDAP). This works just fine for the majority of our employees.

Now we are trying to implement an exception for a few users. Those should be able to authenticate by "user certificates" (or better computer and user certificates).

DAP is not an option, due to Essentials license.



Community Member

Hi,I am trying to implement


I am trying to implement dual authentication (ldap + computer certificate) base. Currently "LDAP" authentication is perfectly fine but when I am going to implement computer certificate base authentication, so anyconnect showing some error, now it is requested to you kindly send me any URL for the reference "how to implement" or guide me.

Your kind support is required.


Hi Marvin,Can you tell us

Hi Marvin,

Can you tell us what would be the parameters to check if it's a domain machine?

How can we tell anyconnect to send machine information?

Thank you!

Hall of Fame Super Silver

You need to use Cisco Secure

You need to use Cisco Secure Desktop to scan the host and send back the registry key that identifies the domain to which the machine has been joined. An example of how to do so are in this document.

Community Member

I have almost same situation

I have almost same situation and need a bit help.


I have a ASA5520 and now it is possible to connect to Anyconnect using ether user/pass or machine certificat. But how do i set it up so, that it first check the mashine certificat, and if it is not pressent then it ask for user/pass ?


CreatePlease to create content