RE: WebVPN with AAA and Certificates from Antonio Soares on 2012-06-06 (Ccielab archives 06/2012)

From: Antonio Soares <amsoares_at_netcabo.pt>
Date: Thu, 7 Jun 2012 03:14:07 +0100

Two-factor authentication, certificates and active directory integrated with
ACS5.3.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
<mailto:amsoares_at_netcabo.pt> amsoares_at_netcabo.pt

<http://www.ccie18473.net/> http://www.ccie18473.net

From: Alexei Monastyrnyi [mailto:alexeim73_at_gmail.com]
Sent: quinta-feira, 7 de Junho de 2012 02:43
To: Antonio Soares
Cc: ccielab_at_groupstudy.com; Ryan West
Subject: Re: WebVPN with AAA and Certificates

Also will it be just Cert based authentication or two-factor one with
password or RSA token?

Not directly connected, we had a corporate WiFi deployment with
machine-based cert authentication in AD 4-5 years ago, worked quite well at
the end of teh day. But I reckon we had to use ACS 4.2 to pull out some
RADIUS attributes... it was not easy to set up.

Good luck.

On 7 June 2012 11:04, Ryan West <rwest_at_zyedge.com> wrote:

On Wed, Jun 06, 2012 at 20:51:52, Antonio Soares wrote:
> Subject: WebVPN with AAA and Certificates

>
> Hello group,
>
> I'm looking for a sample configuration of Clientless WebVPN on the ASA
> with AAA and Certificate authentication.
>
> I need to implement a scenario with:
>
> ASA running 8.4.x
> Cisco ACS 5.3.x
> MS Active Directory
> MS Certification Authority
>
> I've checked the ACS 5.x examples:
>
> http://www.cisco.com/en/US/products/ps9911/prod_configuration_exampl
> es_list.
> html
>
> And the ASA examples:
>
> http://www.cisco.com/en/US/products/ps6120/prod_configuration_exampl
> es_list.
> html
>

For this implementation, I don't know how much value ACS brings. Do you
plan on providing other remote access functions or just clientless VPN? You
can enable client auth globally or you can enable per tunnel group via drop
down alias or group-url. I've read blog posts on INE that make the whole
thing pretty easy. My experience is that it's a total PIA and difficult to
troubleshoot.

How do you intend on generating the certificates? Will they be prepopulated
through a GPO or do you plan to enable anyconnect to setup a temporary
tunnel to generate the cert?

Better yet, how do you envision it working?

-ryan

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Thu Jun 07 2012 - 03:14:07 ART

This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART