topic Re: Anyconnect Client VPN authentication in Network Security

Anyconnect Client VPN authentication

adamgibs7 — Fri, 21 Feb 2020 15:35:04 GMT

Dears,

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc7

I m following the above link for anyconnect client vpn double authentication, but the documents is not clear to me so how the double authentication occurs I have mentioned in below steps please correct me if I'm not wrong.

Each user has to generate a signing request from his windows PC ,, the CSR has to signed by the CA and CA Root certificate has to be available as a trustpoint in the ASA to authenticate, but I don’t find any configuration of trustpoint mapping configuration for the tunnel-group which I created becz I don’t want default certificate authentication for all tunnel groups. Also I have one more question here , the user certificate that was signed by CA can be used with multiple users ??? I hope it should not but how each user will be unique from others if they are authenticating by the certificate as an double authentication.

Thanks

Re: Anyconnect Client VPN authentication

Rob Ingram — Fri, 30 Mar 2018 17:07:36 GMT

Hi,

This webpage has an example to configure trustpoint on ASA and enable certificate authentication configuration on separate tunnel-group, not default.

Each user should be issued with their own unique certificate. I assume you are using Windows, therefore the certificate should be installed in the Users Certificate store, this means only that user who is logged on can use that certificate for authentication.

If you are using Active Directory, a Windows Group Policy can be configured to enroll each user with a certificate to use for authentication.

HTH

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 19:08:22 GMT

Dear RJI

thanks for the reply,

Attached are the logs,

I have already enabled on the tunnel-group certificate authentication but how this tunnel-group will authenticate to the trustpoint, if I am not wrong by this command ssl trust-point LAB_PKI OUTSIDE, this command is already enabled on my ASA for the ssl vpn, and the trustpoint is signed by the global sign with common name as a CN=<outside interface public ip>

I created a signing request from the windows PC and I get it signed by the global sign CA,

when I initiate a request from the client the certificate authentication fails and says no trustpoint found, actually it authenticates on basis of what for the user ??? by the basis of username or on basis of what ??

Re: Anyconnect Client VPN authentication

Rob Ingram — Fri, 30 Mar 2018 19:29:11 GMT

Can you upload the ASA configuration and the output of the following commands:

show crypto ca trustpoints
show crypto ca certificates

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 19:53:30 GMT

Dear

here is the attached

Re: Anyconnect Client VPN authentication

Rob Ingram — Fri, 30 Mar 2018 20:08:02 GMT

Are you using the Trustpoint GS_Intermediate ASDM_TrustPoint0?

Or Trustpoint SSL_VPN? - this trustpoint is not authenticated, but the issuer is Globalsign also.

The certificate with hostname = FW.xyz.gov.om is associated to Trustpoint: self, which is obviously incorrect.

I assume your intention is to issue certificates to the ASA and users from the Globalsign CA?

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 20:14:54 GMT

Dear RJI

The SSL_VPN trust point, recently I get it signed by global sign becz when users are accessing the https://public ip of the outside interface for the VPN they use to get the certificate error so I get it signed by the CA and the CN=X.X.X.X <public IP>

Now my goal is to authenticate anyconnect client users by certificate and local authentication, so how I can do that.

how I shld get the ssl_vpn trustpoint authenticated ???

group-policy CERT internal
group-policy CERT attributes
dns-server value 172.31.20.24
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value slit-tunnel
default-domain value xyz.local
split-dns value xyz.gov.om
address-pools value easypool
webvpn
anyconnect modules value posture
anyconnect ask none default anyconnect

tunnel-group CERT type remote-access
tunnel-group CERT general-attributes
address-pool easypool
default-group-policy CERT

tunnel-group CERT webvpn-attributes
authentication certificate
group-alias CERT enable

ssl trust-point SSL_VPN outside

Re: Anyconnect Client VPN authentication

Rob Ingram — Fri, 30 Mar 2018 20:20:59 GMT

Essentially that post i sent in the first link goes through the steps to authenticate and enroll a certificate on the ASA.

Authenticate = Importing the GlobalSign Root Cert. I assume they have a Root & Intermediate, I think you can just copy and paste both at the sametime before typing "quit" < as per the instructions.

Enroll = Generating the CSR, sending it off to get signed by GlobalSign and then importing the signed certificate.

As per that post you'd enter the authenticate & enroll commands specific for that Trustpoint - SSL_VPN in your case.

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 20:24:18 GMT

I have the root CA of the global sign,i have just added their intermediate but not their root so this is the reason it is showing me as a not authenticated ??

I will enter the root certificate now

thanks

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 21:10:12 GMT

Dears

It is failing to add by the below error

INFO: Certificate has the following attributes:
Fingerprint: c5efg849 ca043355 e32dba1a c44eb028
Do you accept this certificate? [yes/no]: yes
% Error in saving certificate: status = FAIL

what I have to do ?? , the other Global sign intermediate is doing nothing in the configuration I guess please correct me if I m not wrong,

I want to know for each user I have generate csr and get it signed by the CA ?? for example lets assume after ca signed the csr for the user A and he will install in the trusted root certificate personal folder, the same certificate cant be used for another user, how unique this user will be identified by the ASA in the certificate OR the CSR which is generated from the PC makes the authentication successful regardless who the user it is ??

Please elaborate

Re: Anyconnect Client VPN authentication

Rob Ingram — Fri, 30 Mar 2018 21:16:47 GMT

Turn on debugging - debug crypto ca

Please send me the configuration of the trustpoint AND send an output of the commands you run and the debug information

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 21:39:59 GMT

please find the file attached for the trustpoint, actual I made a mistake in installing the file I used different trustpoint names

Cannot provide the debug itself I am out of the office,

crypto ca authenticate SSL_VPN

< and I am pasting the entire root certificate of the GS>

quitsend an output of the commands you run and the debug information ??? which command ??

Re: Anyconnect Client VPN authentication

adamgibs7 — Fri, 30 Mar 2018 22:34:27 GMT

I managed to install the root certificate and now it is in the authenticated status, we send the debugs tomorrow for certificate authentication failure.

thanks

Re: Anyconnect Client VPN authentication

Rob Ingram — Sat, 31 Mar 2018 11:03:50 GMT

If you've now authenticated the certficiate don't need the debugs. You now need to enroll the certficiate, which will regenerate the CSR, then you need to get this signed by GlobalSign and import.

Re: Anyconnect Client VPN authentication

adamgibs7 — Sat, 31 Mar 2018 15:54:37 GMT

Dear RJI

just want to tell you that the actual root certificate was giving me an error so I authenticated with an Intermediate certificate provided by the CA and it worked,

before authentication of the intermediate certificate I already did the enrollment of the CSR , i don't have access to the FW to checks the debugs y still the certificate ssl vpn users are still failing.

Also it will be appreciable if u can answer my question asked in above thread, to have a clear visibility.

Thanks

Re: Anyconnect Client VPN authentication

adamgibs7 — Sun, 01 Apr 2018 17:02:43 GMT

Dear

Please find the attached logs for the certificate authentication failure.

Thanks

Re: Anyconnect Client VPN authentication

Rob Ingram — Sun, 01 Apr 2018 17:23:53 GMT

Error: CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number:

What is the output from the command show crypto ca certificates?

Re: Anyconnect Client VPN authentication

adamgibs7 — Sun, 01 Apr 2018 17:44:12 GMT

Dear RJI

FW(config)# sh crypto ca trustpoints

Trustpoint self:
Configured for self-signed certificate generation.

Trustpoint GS_Intermediate:
    Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: 040000000001444ef04247
    Certificate configured.

Trustpoint SSL_VPN:
    Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: 040000000001444ef04247
    Certificate configured.

ASAFW(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 399b2171ccad01c3c98414f0
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
Subject Name:
    cn=1.1.1.1
    o=xyz
    ou=IT
    l=mazga
    st=maharash
    c=IN
Validity Date:
    start date: 15:57:07 GMT Mar 21 2018
    end   date: 13:46:04 GMT Mar 21 2020
Storage: config
Associated Trustpoints: SSL_VPN

CA Certificate
Status: Available
Certificate Serial Number: 040000000001444ef04247
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
    cn=GlobalSign Root CA
    ou=Root CA
    o=GlobalSign nv-sa
    c=BE
Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
OCSP AIA:
    URL: http://ocsp.globalsign.com/rootr1
CRL Distribution Points:
    [1] http://crl.globalsign.net/root.crl
Validity Date:
    start date: 14:00:00 GMT Feb 20 2014
    end   date: 14:00:00 GMT Feb 20 2024
Storage: config
Associated Trustpoints: SSL_VPN GS_Intermediate ASDM_TrustPoint0

Please clear one point for me,

i have generated a csr from windows 10 and get it signed by GS CA, while creating the csr i have mentioned only the username of the user and key modulus of 2048 nothing apart from that,

I am asking u from previous post something is not clear for me is on basis of what user certificate will be authenticated to the trustpoint , but at present we are not hitting to the trustpoint, is it so that i have to keep The IKEv2 and SSL trustpoints to be the same

thanks

Re: Anyconnect Client VPN authentication

Rob Ingram — Sun, 01 Apr 2018 18:04:27 GMT

It looks like the windows client certificate is issued from a different globalsign CA - issuer name: cn=GlobalSign PersonalSign 2 CA - SHA256 - G3 - Staging

Which is not the same CA as on your ASA, therefore trustpoint is not matching.

I don't understand you other question??

Re: Anyconnect Client VPN authentication

adamgibs7 — Sun, 01 Apr 2018 18:11:01 GMT

this is what i wanted to tell u that when i created the csr from the windows client i mentioned the cn as a username and not the GS as a CN,

I don't understand you other question??

i will try to make simple when creating csr from windows 10 pc what attributes i have to fill to match

Thanks