Cisco PIX 500 Series Security Appliances

PIX/ASA 8.x: CAC - SmartCards Authentication for Cisco VPN Client



This document provides a sample configuration on Cisco Adaptive Security Appliance (ASA) for network remote access with the Common Access Card (CAC) for authentication.

The scope of this document covers the configuration of Cisco ASA with Adaptive Security Device Manager (ASDM), Cisco VPN Client, and Microsoft Active Directory (AD)/Lightweight Directory Access Protocol (LDAP).

The configuration in this guide uses the Microsoft AD/LDAP server. This document also covers advanced features, such as OCSP, LDAP attribute maps, and Dynamic Access Polices (DAP).



A basic knowledge of Cisco ASA, Cisco VPN Client, Microsoft AD/LDAP, and Public Key Infrastructure (PKI) is beneficial to understand the complete setup. Familiarity with AD group membership and user properties, as well as LDAP objects helps to correlate the authorization process between the certificate attributes and AD/LDAP objects.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 5500 Series Adaptive Security Appliance (ASA) that runs the Software Version 8.0(x) and later

  • Cisco Adaptive Security Device Manager (ASDM) Version 6.x for ASA 8.x

  • Cisco VPN Client 4.x

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Cisco ASA Configuration

This section covers the configuration of Cisco ASA through ASDM. It covers the necessary steps to deploy a VPN remote access tunnel through an IPsec connection. The CAC certificate is used for authentication, and the User Principal Name (UPN) attribute in the certificate is populated in active directory for authorization.

Deployment Considerations

  • This guide does NOT cover basic configurations such as interfaces, DNS, NTP, routing, device access, or ASDM access, etc. It is assumed that the network operator is familiar with these configurations.

    For more information, refer to Multifunction Security Appliances.

  • Some sections are mandatory configurations needed for basic VPN access. For example, a VPN tunnel can be setup with the CAC card without OCSP checks, LDAP mappings, or Dynamic Access Policy (DAP) checks. DoD mandates OCSP checking, but the tunnel works without the OCSP configured.

  • The ASA image required is at least 8.0.2 and ASDM 6.0.2.

  • No LDAP schema change is necessary.

  • See Appendix A for LDAP & Dynamic Access Policy mapping examples for additional policy enforcement.

  • See Appendix D on how to check LDAP objects in MS.

  • See the Related Information