[c-nsp] ASA VPN with Local CA on the ASA

[Jay Nakamura]

I have been reading the documentation and trying to understand how this works.

My understanding is, I can use a certificate to add another layer of
authentication to VPN users on ASA.  I can use the ASA as the CA to
issue the cert and manage the cert.  Is that correct?  I wouldn't need
additional CA server or external CA to purchase certs from?  Does it
work with both IPSec and Anyconnect clients?

Anyone have a good configuration example or URL that goes over it?

If I had a spare ASA, I will just test it out and see how it works but
I don't have a spare right now.

The background :
My client is a small 3 person tech company that needs more than just
pre-shared key and xauth to VPN in because of the sensitive
information they store.  But don't have the budget nor resources to
keep up the current RSA SecureID server which is a bit overkill for
them.  They thought certificate based auth will be not as good as
SecureID but better than just user/pass.

Any help will be appreciated.

Thanks!