Post

ASA AnyConnect Certificate Authentication

Posted
By Sena Perdiana 1 min read

Cisco ASA AnyConnect VPN Certificate Authentication enhances security by providing strong, encrypted authentication while reducing reliance on passwords. It can be used as the sole authentication method for a seamless, passwordless experience or combined with password-based authentication for added security through integration with Cisco ISE or Cisco Duo.

ASA Certificate

First we need to add the Root CA Certificate to ASA, on Configuration » Remote Access VPN » CA Certificates, add the Root CA

x

x


Then we create a CSR named for the Identity Certificate “VPN-Certificate”, click add and fill in the details

x


And export the CSR

x


Sign the CSR on the Certificate Authority (CA) Server

x


Then install the certificate

x

x


Finally attach the certificate to the outside interface

x

1

ssl trust-point VPN-Certificate outside


ASA VPN

Here we’ll modify an existing Connection Profile to use Certificate Authentication, all needs to be done is changing the Authentication Method to “Certificate Only”

x

x


And on Advanced » Authentication, select the UPN to be used as client’s username

x


Client Certificate

On the client PC thats part of the domain, on Personal Certificates, create new User Certificate

x

x


The newly made certificate should be present on the Personal Certificates directory now

x


Now if we try accessing the ASA’s VPN Gateway, we should be asked to use our User Certificate

x


VPN Authentication with Certificate

Now when we try connecting to VPN, we can see that certificate will be used for authentication

x


And after successfully connecting, the certificate authentication details can be seen on ASA

x


VPN Authentication with Certificate and AAA

Other than using Certificate Only, we can also use it on top of password-based authentication, for example here we’ll also use ISE

x


When we connect to the VPN, the certificate will be validated first before presenting the username and password form

x

x


Invalid Certificate

If we try connecting without having a User Certificate, we’ll get an invalid certificate error

x


The not so cool thing is, if we export the User Certificate (along with the key) from one PC and Import it to the other PC with different user, and that PC is not even part of the domain, we will be allowed to authenticate again

x


Security, Cisco Adaptive Security Appliance (ASA)
ASA
This post is licensed under CC BY 4.0 by the author.