Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

[Cisco AnyConnect] Certificate authentication on RADIUS

Hi,

I'm using certificate authentication and LDAP authorization and it works fine.

Now, I want to centralize authentication and authorization on RADIUS server (Cisco ACS in my case)

In connection profile, we have 3 authentication methods:

  • AAA: I can choose RADIUS or LDAP server group --> User is prompted for credentials user/password
  • Certificate: I can't choose AAA Server Group... --> User must provide certificate
  • Both: I can choose RADIUS or LDAP --> User is prompted for credentials user/password and user must provide certificate

If I choose certificate authentication methods, I can't delegate authentication and authorization to RADIUS server.

Is there a solution for delegating certificate authentication to RADIUS?

I have different authorization rules for each VPN Connection profile

Can ASA send VPN connection profile to RADIUS? (in RADIUS attribute...)

Thanks for your help,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

[Cisco AnyConnect] Certificate authentication on RADIUS

Patrick,

The key thing in deployments using WLC is that supplicant on client  can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.

In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).

IOS gives you also a possibility to perform PKI authorization call:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-rev-cert.html

AFAIR no similar mechanism exists on ASA.

M.

6 REPLIES
dmh
Community Member

[Cisco AnyConnect] Certificate authentication on RADIUS

Hi Patrick,

I've hit the same issue and came across your post. Have you worked out a solution?

If you can't centralise it you don't have a log of all the connections. Wireless certificate authentication works over RADIUS so ideally AnyConnect should too.

Thanks, Darren

Community Member

I have similar issue. 

I have similar issue.  Anyconnect vpn users can't authenticate with radius; it defaults to local. I haven't specified local nor do I want to. This is to two-factor authentication; anyconnect vpn users has certificate installed locally. Certificate installed from AD, pushed down by group policy

I tested aaa radius-server authentication and it was successful.

I have the config posted by Javier

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

Any ideas? Am I missing something?

Also what does the certificate-map-group command do

[Cisco AnyConnect] Certificate authentication on RADIUS

Hi Patrick,

What exactly does not work?

You can have something like this:

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

Doing this you will use RADIUS to authenticate your AD users and a certificate as a two-factor authentication method.

Please let me know.

Thanks.

Portu.

Community Member

[Cisco AnyConnect] Certificate authentication on RADIUS

Hi,

@Darren, I contacted Cisco reseller support and there is no solution...

@Javier, If I choose certificate authentication, I cant delegate authentication to RADIUS Server. ASA checks certificate validity...

As Darren said, Cisco WLC can delegate certificate authentication to RADIUS but Cisco ASA cant.

Best regards,

Patrick

Cisco Employee

[Cisco AnyConnect] Certificate authentication on RADIUS

Patrick,

The key thing in deployments using WLC is that supplicant on client  can talk EAP (including EAP-TLS) so the AAA server can authenticate the certificate.

In case of Anyconnect, or old IPsec client there is no way to send the full cert to AAA server (either not implmented/redundant from client's point of view, or not in standard).

IOS gives you also a possibility to perform PKI authorization call:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-rev-cert.html

AFAIR no similar mechanism exists on ASA.

M.

Gold

[Cisco AnyConnect] Certificate authentication on RADIUS

Did anyone try Portu's response?

tunnel-group AnyConnect general-attributes

     authentication-server-group RADIUS

!

tunnel-group AnyConnect webvpn-attributes

     authentication aaa certificate

I'm trying to do the same thing except using ISE as the radius servers.

Thanks.

3448
Views
0
Helpful
6
Replies
CreatePlease to create content