Skip to Content | Skip to Footer

Cisco Systems, Inc. ®

Using the Common Access Card for Remote Access VPN with the ASA 5500

The Department of Defense (DoD) has implemented the Common Access Card (CAC) for all user authentications. Beginning in the summer of 2006, the CAC is mandatory for user authentication. Most DoD installations have converted their Active Directories to accept the CAC for user logons.

This paper details the steps necessary to enable ASA 5500 support for the DoD Common Access Card (CAC) when it is integrated with Active Directory (AD) to provide Smart Card Logon. When Smart Card Logon is enabled, several challenges are presented as the typical authentication and authorization credentials are eliminated. In its place, only certificate-based authentication can be used to allow the Adaptive Security Appliance (ASA) to permit users to remotely access Virtual Private Network (VPN). This white paper focuses on implementing all of the functionality natively on the ASA 5500 with the Cisco VPN Client. Other solutions exist or may be possible using Layer 2 Tunneling Protocol/IP Security (L2TP/IPSec) with the Microsoft Client, or by introducing Remote Authentication Dial-In User Service (RADIUS) to provide the authorization functions.

This document focuses on the basic configuration settings for enabling CAC Authentication on the ASA 5500. The ASA 5500 provides a multitude of additional features that should be explored to further enhance the end-user experience and to help secure the DoD Enterprise.

Downloads
  • Using the Common Access Card for Remote Access VPN with the ASA 5500
    (PDF - 9.2 MB)
© 1992-2008 Cisco Systems Inc. All rights reserved.
Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems Inc.