RE: WebVPN with AAA and Certificates from Antonio Soares on 2012-06-06 (Ccielab archives 06/2012)

From: Antonio Soares <amsoares_at_netcabo.pt>
Date: Thu, 7 Jun 2012 03:11:23 +0100

Let's say the original idea was the traditional ACS with external DB
authentication. Then someone had the idea to complicate things and add
certificates to the setup. The users already have certificates and
accordingly to their certificate attributes they will have access to
different resources. Does it make sense ? I agree that it should be a
nightmare to troubleshoot, but there are guys that sell this and others that
buy and we are here to make it work :) I will check those INE posts to see
if find something.

Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares_at_netcabo.pt
http://www.ccie18473.net

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: quinta-feira, 7 de Junho de 2012 02:05
To: Antonio Soares; ccielab_at_groupstudy.com
Subject: RE: WebVPN with AAA and Certificates

On Wed, Jun 06, 2012 at 20:51:52, Antonio Soares wrote:
> Subject: WebVPN with AAA and Certificates
>
> Hello group,
>
> I'm looking for a sample configuration of Clientless WebVPN on the ASA
> with AAA and Certificate authentication.
>
> I need to implement a scenario with:
>
> ASA running 8.4.x
> Cisco ACS 5.3.x
> MS Active Directory
> MS Certification Authority
>
> I've checked the ACS 5.x examples:
>
> http://www.cisco.com/en/US/products/ps9911/prod_configuration_exampl
> es_list.
> html
>
> And the ASA examples:
>
> http://www.cisco.com/en/US/products/ps6120/prod_configuration_exampl
> es_list.
> html
>

For this implementation, I don't know how much value ACS brings. Do you
plan on providing other remote access functions or just clientless VPN? You
can enable client auth globally or you can enable per tunnel group via drop
down alias or group-url. I've read blog posts on INE that make the whole
thing pretty easy. My experience is that it's a total PIA and difficult to
troubleshoot.

How do you intend on generating the certificates? Will they be prepopulated
through a GPO or do you plan to enable anyconnect to setup a temporary
tunnel to generate the cert?

Better yet, how do you envision it working?

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 07 2012 - 03:11:23 ART

This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART