cfan73
asked on
AnyConnect VPN endpoint authentication/validation
Customer is looking to implement support for validating Cisco AnyConnect VPN endpoints based on the presence of machine-level certificates. The workstation would not allow the VPN client connection unless the corp certificate was installed.
I’m really just trying to determine if this would be supported with what they already own (Cisco ASA firewalls and AnyConnect 4.x Apex licensing) vs. having to roll out a full 802.1X solution (a la ISE or something), which would obviously be a significant expense.
Thank you – reference links/documentation (including configuration info) is always appreciated.
- Can the above be handled strictly through the AnyConnect client (and whatever included modules, such as Host Scan/Endpoint Assessment)?
- If “yes” to the above, is this wholly an AnyConnect function or does it require configuration on the back-end ASA to deploy?
- If “no” to #1, what additional components would be required? Is a RADIUS/AAA server also required, if again we’re only testing machine certs for authentication vs. users?
I’m really just trying to determine if this would be supported with what they already own (Cisco ASA firewalls and AnyConnect 4.x Apex licensing) vs. having to roll out a full 802.1X solution (a la ISE or something), which would obviously be a significant expense.
Thank you – reference links/documentation (including configuration info) is always appreciated.
ASKER
Thanks for your feedback, and understood.
One follow-up question - Can the ASA authenticate a user directly to AD without the middle layer of having a AAA server? In other words, if we can use AD for user authentication and Host Scan/Endpoint Assessment to handle the certificate presence, would there be no requirement for AAA? (I understand that AAA would be necessary to deploy additional security policies - 802.1X, etc.)
The configuration example you provided references AAA even though it'd appear that they're using local auth in some cases.
Thanks again
Expert Comment
by:Craig Beck
One follow-up question - Can the ASA authenticate a user directly to AD without the middle layer of having a AAA server? In other words, if we can use AD for user authentication and Host Scan/Endpoint Assessment to handle the certificate presence, would there be no requirement for AAA? (I understand that AAA would be necessary to deploy additional security policies - 802.1X, etc.)
The configuration example you provided references AAA even though it'd appear that they're using local auth in some cases.
Thanks again
Expert Comment
by:Craig Beck
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great - thanks for your help!
This Cisco guide will help...
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html