Configuring Multiple Certificate Authentication

Before you begin

Before you configure multiple certificate authentication, ensure that you have configured the certificate enrollment object that is used to obtain the identity certificate for each threat defense device. For more information, see Certificate Map Objects.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select the remote access VPN policy and click Edit.

Note

If you have not configured a remote access VPN, click Add to create a new remote access VPN policy.

Step 3

Select and Edit a connection profile to configure multiple certificate authentication.

Step 4

Click AAA settings and select Authentication Method > Client Certificate Only or Client Certificate & AAA.

Note

Select the Authentication Server if you have selected the Client Certificate & AAA authentication method

Step 5

Select the Enable multiple certificate authentication checkbox.

Step 6

Choose one of the certificates to Map username from client certificate:

  • First Certificate— Select this option to map the username from the machine certificate sent from the VPN client.

  • Second Certificate— Select this option to map the username from the user certificate sent from the client.

The username sent from the client is used as the VPN session username when certificate only authentication is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on prefill option.

Note

If you select the Map specific field option, which includes the username from the client certificate, the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively.

If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields that can be used as the identifier when matching users to a connection profile DN rules are used for enhanced certificate authentication.

If you have selected the Client Certificate & AAA authentication, select the Prefill username from certificate on user login window option to prefill the secondary username from the client certificate when the user connects via AnyConnect VPN module of Cisco Secure Client.

  • Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.

Step 7

Configure the required AAA settings and connection profile settings for the remote access VPN.

Step 8

Save the connection profile and remote access VPN configuration and deploy it on your threat defense device.