Re: WebVPN with AAA and Certificates

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Thu, 7 Jun 2012 11:43:12 +1000

Also will it be just Cert based authentication or two-factor one with
password or RSA token?

Not directly connected, we had a corporate WiFi deployment with
machine-based cert authentication in AD 4-5 years ago, worked quite well at
the end of teh day. But I reckon we had to use ACS 4.2 to pull out some
RADIUS attributes... it was not easy to set up.

Good luck.

A.

On 7 June 2012 11:04, Ryan West <rwest_at_zyedge.com> wrote:

> On Wed, Jun 06, 2012 at 20:51:52, Antonio Soares wrote:
> > Subject: WebVPN with AAA and Certificates
> >
> > Hello group,
> >
> > I'm looking for a sample configuration of Clientless WebVPN on the ASA
> > with AAA and Certificate authentication.
> >
> > I need to implement a scenario with:
> >
> > ASA running 8.4.x
> > Cisco ACS 5.3.x
> > MS Active Directory
> > MS Certification Authority
> >
> > I've checked the ACS 5.x examples:
> >
> > http://www.cisco.com/en/US/products/ps9911/prod_configuration_exampl
> > es_list.
> > html
> >
> > And the ASA examples:
> >
> > http://www.cisco.com/en/US/products/ps6120/prod_configuration_exampl
> > es_list.
> > html
> >
>
> For this implementation, I don't know how much value ACS brings. Do you
> plan on providing other remote access functions or just clientless VPN?
> You can enable client auth globally or you can enable per tunnel group via
> drop down alias or group-url. I've read blog posts on INE that make the
> whole thing pretty easy. My experience is that it's a total PIA and
> difficult to troubleshoot.
>
> How do you intend on generating the certificates? Will they be
> prepopulated through a GPO or do you plan to enable anyconnect to setup a
> temporary tunnel to generate the cert?
>
> Better yet, how do you envision it working?
>
> -ryan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 07 2012 - 11:43:12 ART

This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART