Cisco VPN 2.0: Deploying Advanced AAA in Cisco Full-Tunnel VPNs

This course is included in our On-demand training solution.


When deploying VPNs, it is important to use strong authentication options. This course describes several advanced authentication options that you can use when implementing Cisco AnyConnect full-tunnel Secure Sockets Layer (SSL) VPNs on the Cisco ASA adaptive Security Appliance. These authentication options offer more adequate security and scalability, compared to basic local authentication.
Advanced password-based authentication using external authentication, authorization, and accounting (AAA) servers, certificate-based authentication using the local certificate authority (CA) of the Security Appliance, and options that are available to verify user certificates for revocation are also covered.

Target Audience

Anyone wishing to obtain the Cisco Certified Network Professional CCNP Security designation. Cisco Network Security Engineers responsible for the selection, configuration, and the troubleshooting of the majority of Cisco ASA adaptive Security Appliance perimeter security features to reduce risk to IT infrastructure and its applications within their networking environments. Established IT professionals with a good understanding of networking and Cisco technology, installation, troubleshooting and monitoring of devices used to maintain integrity, confidentiality and availability of data and network devices that Cisco uses in its security infrastructure, as well as working knowledge of the Microsoft Windows operating system. Candidates who have completed the Cisco Certified Network Associate (CCNA), the Cisco Certified Network Associate Security (CCNA Security), the Securing Networks with Cisco Routers and Switches (SECURE) v1.0, and the Deploying Cisco ASA Firewall Solutions (FIREWALL 2.0) Certifications.


Expected Duration

90 min.

Course Objectives

SSL VPN Gateway and User Authentication Overview

  • describe how to select a gateway and user authentication method in Cisco AnyConnect full-tunnel SSL VPNs
  • Deploying Advanced Client Authentication

  • describe the considerations involved in planning the deployment of advanced client authentication
  • distinguish between external AAA authentication configuration tasks
  • Deploying Certificate-Based Authentication Using CAs

  • describe how to configure the local CA on the Cisco ASA Security Appliance and the Cisco AnyConnect Client, with client certificates provisioned by the Cisco ASA Security Appliance
  • describe the considerations involved in configuring the Cisco ASA and Cisco AnyConnect Client to use an external CA and provision client certificates
  • Configuring SCEP Proxy

  • sequence the steps to configure SCEP proxy for Cisco AnyConnect
  • Multiple Client Authentication

  • describe how to implement a certificate revocation solution
  • identify valid combinations for deploying multiple authentication combinations
  • Configuring Local Group Policy Authorization

  • describe how to configure local group policy authorization in a Cisco full-tunnel SSL VPN
  • Configuring Remote Group Policy Authorization

  • match the external VPN authorization input parameters to their descriptions
  • describe how to configure remote group policy authorization in a Cisco full-tunnel SSL VPN
  • Configuring Accounting

  • sequence the steps to enable accounting in a connection profile