Use an AnyConnect certificate and OTP-based authentication

Introduction

Certificate-based authentication is one of the most secure methods that Cisco AnyConnect provides to enable you to access VPN remotely with a one-time password (OTP).

After software version 8, Cisco®  included a complete certificate authority (CA) solution in the firewall with a web front end. This post describes how to use the built-in CA server feature of Adaptive Security Appliance (ASA) to issue certificates to SSL clients and perform certificate-based authentication.

Overview

Use the following steps to implement certificate and OTP-based authentication for an existing AnyConnect® environment:

• Check and synch the time
• Activate and configure local CA server
• Create user accounts for all users eligible to obtain an identity certificate from ASA
• Create a tunnel group that uses certificate-based authentication
• Change the VPN authentication to the certificate
• Create a map certificate to the connection profile

Set up certificate-based authentication

Perform the following steps to verify certificate-based authentication forAnyConnect remote access VPN:

 1. Verify the correct date and time

Use the following commands to verify the current time:

    show clock
    show ntp status

If time is not synced correctly, you need to match it with the external NTP server.

Activate and configure the local CA server

Issue the following commands to activate the local CA server, configure the lifetime, key size, certificate issuer, and create a strong passphrase to protect the local CA server. You can also configure the SMTP server used to send instructions to users for obtaining identity certificates.

    crypto ca server
    lifetime ca-certificate 3650
    lifetime certificate 365
    keysize 2048
    keysize server 2048
    issuer-name CN=anyconnect certificate authentication
    no shutdown passphrase Cisco987

3. Create user accounts and a one-time password

After you enable CA, use the following commands to create user accounts for all the users eligible to obtain an ASA identity certificate.

    crypto ca server user-db add cert_user dn CN=cert_user ,OU=IT,O=exampleorganization
    crypto ca server user-db allow user cert_user display-otp

Take note of the OTP and keep it handy.

To download and import the certificate, browse to
**https://\<firewall IP address\>/+CSCOCA/+enroll log** and log in with your
username and OTP as shown in the following image.

 4. Create a tunnel group 

Run the following commands to create a tunnel group where you are going to use the certificate-based authentication:

    tunnel-group AnyConnect-TG-Cert type remote-access
    tunnel-group AnyConnect-TG-Cert general-attributes
    address-pool AnyConnect-Pool
    default-group-policy AnyConnect-GP

5. Change the VPN authentication
Run the following commands to change the VPN authentication to the certificate: 

    tunnel-group AnyConnect-TG-Cert webvpn-attributes
    authentication certificate

6. Create a map certificate

Run the following commands to create a certificate map to the tunnel group so ASA uses the right user connection profiles for users authenticating with identity certificates:
 

 crypto ca certificate map Cert-MAP 100
    subject-name attr ou eq IT
    webvpn
    certificate-group-map Cert-MAP 100 AnyConnect-TG-Cert

7. Connect to the VPN portal

After you complete the preceding steps, the system will prompt users for certificate-based authentication when they connect to the VPN portal, as shown in the following image:

Conclusion 

By using the steps in this post, you can easily configure certificate-based authentication for Cisco AnyConnect Remote access VPN and set up the authentication process with the built-in CA server. You can also use a third-party, paid CA server in production to meet the regulatory compliance and standard requirements.