Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Certificate Based Authentication

I understand people are using their internal PKI for authentication on wired and wireless networks, but it now has me thinking about VPN authentication.

If the internal PKI has been setup for both machine and user certificates already, can we use that as part of the authentication for VPN? Is this a recomended solution? Ideally we would like to set this up with a OTP server as well, with ISE configured on the backend.

What needs to happen with certificate revocation for VPN connection?


New Member

Also, how do we configure the

Also, how do we configure the ASA to allow certificate authentication to Staff with OTP, and say for remote support access to use a standard user/pass with or without OTP?

Hall of Fame Super Silver

You are on the right track.

You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.

For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)

For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.

You might want to invest in the certifcation guide for the CCNP VPN exam: 

CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)

Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.