I am seting up an evaluation deployment of the Cisco ASA SSL VPN. Our intended use will be as Client (AnyConnect) Access for Employees and as Clientless Access for third parties (i.e. contractors, consultants, alumni, etc.). Both will use username/password for Authentication. For Employees, we want to take this one step further and check for the existance of a certificate on corporate issued hardware. The certificate would be issued by an internal CA (and we do not currently use Revokation Lists). I have found that I can set this up in two methods; either as a Prelogin Policy to check for the existance of the certificate, or within the Connection Profile Authentication as Both. If I use a Prelogin Policy I understand I need to map the Failure case to an appropriate policy to account for the third party access.
What would be the benefits / disadvantages in selecting one certificate check method over another? I'd trying to avoid being short sighted in the deployment and do not see how one method may be more or less adventageous that the other.
The CSD pre-login check will only validate that the certificate with specified attributes exists on the client machine. Modifying the authentication method under the connection profile will require the connecting user to present their identity to the ASA as part of the authentication process. You can use Dynamic Access Policies (DAP) to provide more granular control over user access. For example, an employee with matching certificate is provided with unsrestricted AnyConnect access while a vendor is provided with a clientless WebVPN portal with a single RDP bookmark.
I get that part and we are fine with the user having to "authenticate to the ASA" as part of the login access process. My problem is that when I try to setup the DAP to identify users in a specific group, using Radius authentication as the attribute. We are not using LDAP for the AAA or I would set it up using that instead. I need to use the Radius authentication which does not seem to be working.
Thanks for the information, Todd. Your post brings up an interesting point about leveraging DAP. As far as I am aware, DAP cannot check for the existance of a certificate itself, but if a Prelogin Policy validates that a certificate exists, I can set set the Policy Label which can then be referenced in DAP as an Endpoint attribute. This would be a favorable nod towards using a Prelogin Policy to check for a certificate.
Would there be any compelling reason to use both AAA and certificate as the Authentication method for the Connection Profile?
Vikas, we would be using two-factor authentication, AAA and Certificate. If an asset were lost or stolen we would be able to change the password or disable the AAA acount of the user. I know it's not ideal since the Certificate would still exist on the asset, but it does help mitigate our exposure.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...