Questions about certificate based authentication for VPN's

JohnNetEng · ‎03-25-2024

We're considering going to a Certificate + AAA method of authenticating our VPN AnyConnect clients. This is in response to hackers attempting to brute force their way into our network. It's a nuisance because they guess some of the account names correctly, but never guess the password and end up locking out our legitimate employee accounts, relatively frequently. I have a few questions regarding this.

I understand we need to use one of our internal certificate servers in our ActiveDirectory domain to authenticate vpn clients. We get our certs from GoDaddy, so that our AnyConnect clients won't get certificate errors. Will our GoDaddy Cert interfere with the Cert we use from our internal Cert Server?

When we set it to the VPN Connection profiles to AAA and Certificate, does it verify that the Certificate is installed before performing the AAA authentication?

If we have vendors that connect to the VPN with non-domain computers, how do we get the certificate to them?

Karsten Iwen · ‎03-25-2024

Having a public cert on the ASA/FTD and certs from a private CA for the clients is a typical approach. There won't interfere anything with that.

When the client connects, the ASA/FTD will first validate the certificate, and after that it will do the AAA authentication.

For the non-domain PC, you can either configure a separate connection profile without certificate authentication, or do a manual cert enrollment. With the later you have the "problem" to distribute the cert with private key to the vendor device in a secure way.