Cisco ASA 2FA for clientless VPN

teleformix
teleformix used Ask the Experts™
on
So I recently asked a question and got a great response quickly.  

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24827689.html

We've tested the multi factor auth option and it works.  Right now we are using local auth and Active Directory auth which obviously doesn't satisfy two factor authentication.

Does anyone have a link they can provide with examples on how to setup certificate authentication?  Basically we have two options... 1) use the built in CA with the ASA  2) use Microsoft's CA.  I need to put this together rather quickly so any assistance would be greatly appreciated.

I keep running articles related to the ASA's certificate, but nothing on user certificates related to authentication.

Thanks again everyone!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Please refer my commend on that question.....
Commented:
To my fellow expert - the links you provided are for generating a self-signed certificate which doesn't even come close to meeting the eternal nightmare that is PCI-DSS requirements.

Teleformix:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

That is the basic procedure for doing this in a compliant way on the Cisco ASA. *HOWEVER* this method will no longer be considered valid 2-factor authentication unless the user specifically has the certificate on a smartcard or some such come PCI-DSS v3 which is more intense when it comes to this sort of thing.

Short version is; come v3 if the certificate is installed on the machine or on a router, etc then it won't be valid. If it is on something that has a 1-to-1 relationship with the user then it *should* be valid but I am presently in the process of boning up on the new standard.

If you have any issues with Cisco's article let me know and I can aid you or write something a bit more indepth.

Commented:
I just glanced over that document. It specifies terminal enrollment, you can change this to URL to reference the MS CA which is something like http://<ip address>:80/certsrv/mscep/mscep.dll

When you do this, you skip the manual stuff involving adding the certificate via the terminal.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thank you for the link, however this link just covers using the Cisco VPN client.  Do you know if this process is adaptable to the clientless SSL VPN?

Thank you.

Commented:
Yeah, under the SSL VPN tunnel group specify the trust-point. Same way the article does.

Author

Commented:
Thanks for the help.  The solution is accurate, we haven't decided if we are going to abandon our current 2FA process/system.  Sorry for the delay.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

My friend, you not reading nothing???

I've sent you earlier you other topics...???

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial