Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA SSL VPN and Certificate Usage

I am seting up an evaluation deployment of the Cisco ASA SSL VPN.  Our intended use will be as Client (AnyConnect) Access for Employees and as Clientless Access for third parties (i.e. contractors, consultants, alumni, etc.).  Both will use username/password for Authentication.  For Employees, we want to take this one step further and check for the existance of a certificate on corporate issued hardware.  The certificate would be issued by an internal CA (and we do not currently use Revokation Lists).  I have found that I can set this up in two methods; either as a Prelogin Policy to check for the existance of the certificate, or within the Connection Profile Authentication as Both.  If I use a Prelogin Policy I understand I need to map the Failure case to an appropriate policy to account for the third party access.

What would be the benefits / disadvantages in selecting one certificate check method over another?  I'd trying to avoid being short sighted in the deployment and do not see how one method may be more or less adventageous that the other.

Cheers.

7 REPLIES

Re: Cisco ASA SSL VPN and Certificate Usage

The CSD pre-login check will only validate that the certificate with specified attributes exists on the client machine.  Modifying the authentication method under the connection profile will require the connecting user to present their identity to the ASA as part of the authentication process.  You can use Dynamic Access Policies (DAP) to provide more granular control over user access.  For example, an employee with matching certificate is provided with unsrestricted AnyConnect access while a vendor is provided with a clientless WebVPN portal with a single RDP bookmark.

http://www.cisco.com/en/US/customer/products/ps6120/products_white_paper09186a00809fcf38.shtml

New Member

Re: Cisco ASA SSL VPN and Certificate Usage

I get that part and we are fine with the user having to "authenticate to the ASA" as part of the login access process.  My problem is that when I try to setup the DAP to identify users in a specific group, using Radius authentication as the attribute.  We are not using LDAP for the AAA or I would set it up using that instead.  I need to use the Radius authentication which does not seem to be working.

I have attached a screen shot of the DAP.

thanks,

Rod

New Member

Re: Cisco ASA SSL VPN and Certificate Usage

Thanks for the information, Todd.  Your post brings up an interesting point about leveraging DAP.  As far as I am aware, DAP cannot check for the existance of a certificate itself, but if a Prelogin Policy validates that a certificate exists, I can set set the Policy Label which can then be referenced in DAP as an Endpoint attribute.  This would be a favorable nod towards using a Prelogin Policy to check for a certificate.

Would there be any compelling reason to use both AAA and certificate as the Authentication method for the Connection Profile?

Cisco Employee

Re: Cisco ASA SSL VPN and Certificate Usage

Since you are not using revocation, what is the safeguard if the company asset is stolen?

-Vikas

New Member

Re: Cisco ASA SSL VPN and Certificate Usage

Vikas, we would be using two-factor authentication, AAA and Certificate.  If an asset were lost or stolen we would be able to change the password or disable the AAA acount of the user.  I know it's not ideal since the Certificate would still exist on the asset, but it does help mitigate our exposure.

Cisco Employee

Re: Cisco ASA SSL VPN and Certificate Usage

Hi,

>>Would there be any compelling reason to use both AAA and certificate as the Authentication method for the Connection Profile?

My questions/statement was actually in response to the above.

Two factor is a must, OTP preferred.

If it is a machine cert then you can also have serial number of the asset embeded in the cert CN. In case if the asset is stolen then the cert can be blocked using the cert maps and DAP.

New Member

Re: Cisco ASA SSL VPN and Certificate Usage

Content Removed.

1153
Views
0
Helpful
7
Replies