https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013974#M23116 <P><SPAN>So is that trustpoint enabled for ssl? &nbsp;Yes</SPAN></P><P><BR /><SPAN>Do the ASA and User trust each others certificate? &nbsp;Yes</SPAN></P><P><BR /><SPAN>So you have a computer certificate that works but it's just the user certificate that does not work? Yes</SPAN></P><P>&nbsp;</P><P><SPAN>I’ll get back to you on template differences</SPAN></P><P><SPAN>What is the difference in the certificate template used?</SPAN><BR /><SPAN>Enable debugging on the ASA and upload for review.</SPAN></P> Sat, 18 Jan 2020 17:53:36 GMT s1nsp4wn 2020-01-18T17:53:36Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013921#M23104 Tue, 21 Jan 2020 20:30:33 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013921#M23104 s1nsp4wn 2020-01-21T20:30:33Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013925#M23105 Hi,<BR />Yes it's possible to authenticate to ASA using certificates only and just send authorisation to ISE.<BR /><BR />The AnyConnect user must have a certificate that is mutually trusted by the ASA. The ASA would usually have an identity certificate issued by an internal CA, which is the same CA that issued the user certificate.<BR /><BR />HTH Sat, 18 Jan 2020 14:50:45 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013925#M23105 Rob Ingram 2020-01-18T14:50:45Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013938#M23108 <P>What would the ASA cli config look like? &nbsp;Should I remove authentication myiseserver from tunnel group? &nbsp;Also I have my internal root and intermediate in CA on the ASA already but it will not accept the computer client cert I have with error:</P><P><EM>File: CTransportWinHttp.cpp</EM></P><P><EM>Line: 1255</EM></P><P><EM>Invoked Function: HttpSendRequest</EM></P><P><EM>Return Code: 12186 (0x00002F9A)</EM></P><P><EM>Description: The client certificate credentials were not recognized.</EM></P><P><EM>&nbsp;</EM></P><P><EM>********************************************************</EM></P><P><EM>&nbsp;</EM></P><P><EM>Function: ConnectIfc::TranslateStatusCode</EM></P><P><EM>File: ConnectIfc.cpp</EM></P><P><EM>Line: 3157</EM></P><P><EM>Invoked Function: ConnectIfc::TranslateStatusCode</EM></P><P><EM>Return Code: -<A href="tel:29949918" target="_blank">29949918</A> (0xFE370022)</EM></P><P><EM>Description: CTRANSPORT_ERROR_USER_CERT</EM></P><P><EM>Internal Error (client certificate error).</EM></P> Sat, 18 Jan 2020 15:55:13 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013938#M23108 s1nsp4wn 2020-01-18T15:55:13Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013942#M23111 You need to use a user certificate Sat, 18 Jan 2020 16:01:50 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013942#M23111 Rob Ingram 2020-01-18T16:01:50Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013944#M23112 <P>Error above is from a user cert. &nbsp;I have a machine cert that doesn’t get this error.</P> Sat, 18 Jan 2020 16:15:39 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013944#M23112 s1nsp4wn 2020-01-18T16:15:39Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013946#M23113 <P>Configuration below from my lab, which successfully authenticates the user to the ASA using certificates and passes the CN to ISE for authorisation.</P><P>&nbsp;</P><PRE>aaa-server ISE protocol radius<BR /> authorize-only<BR /> interim-accounting-update periodic 24<BR /> dynamic-authorization<BR />aaa-server ISE (INSIDE) host 192.168.10.10<BR /> key *****<BR /> authentication-port 1812<BR /> accounting-port 1813<BR /> radius-common-pw *****<BR /><BR />tunnel-group TG-1 general-attributes<BR /> authorization-server-group ISE<BR />tunnel-group TG-1 webvpn-attributes<BR /> authentication certificate<BR /> group-alias TG-1 enable<BR /><BR />crypto ca trustpoint LAB_PKI<BR /> enrollment terminal<BR /> fqdn asa-1.lab.net<BR /> subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB<BR /> keypair VPN_KEY<BR /> crl configure<BR /><BR />ssl trust-point LAB_PKI OUTSIDE</PRE><P>The identity certificate on the ASA trustpoint LAB_PKI is signed by the same Internal CA that issued the user certificate on my computer.</P><P>&nbsp;</P><P>Provide your configuration if you still have issues, errors without context make it harder to troubleshoot.</P><P>&nbsp;</P><P>HTH</P> Sat, 18 Jan 2020 16:25:20 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013946#M23113 Rob Ingram 2020-01-18T16:25:20Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013953#M23114 <P>keys, hostnames, addresses etc removed:</P><P>&nbsp;</P><P>tunnel-group test type remote-access<BR />tunnel-group test general-attributes<BR />authentication-server-group test<BR />authorization-server-group test<BR />accounting-server-group test<BR />default-group-policy test<BR />authorization-required<BR />tunnel-group test webvpn-attributes<BR />authentication aaa certificate<BR />group-url https://fqdn/test enable<BR />!</P><P>aaa-server test protocol radius<BR />authorize-only<BR />interim-accounting-update periodic 24<BR />dynamic-authorization<BR />aaa-server test (INSIDE) host mypriserver<BR />authentication-port 1812<BR />accounting-port 1813<BR />raaa-server test (INSIDE) host mysecserver<BR />authentication-port 1812<BR />accounting-port 1813<BR /><BR /></P><P>!</P><P>aaa-server test protocol radius<BR />aaa-server test (INSIDE) host mypriserver<BR />authentication-port 1812<BR />accounting-port 1813</P><P>!</P><P>crypto ca trustpoint root<BR />enrollment terminal<BR />crl configure<BR />crypto ca trustpoint intermediate<BR />enrollment terminal<BR />crl configure<BR />(two trust points because I could not combine my root and intermediate into one cert)</P> Sat, 18 Jan 2020 17:00:23 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013953#M23114 s1nsp4wn 2020-01-18T17:00:23Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013959#M23115 So is that trustpoint enabled for ssl?<BR />Do the ASA and User trust each others certificate?<BR />So you have a computer certificate that works but it's just the user certificate that does not work? What is the difference in the certificate template used?<BR />Enable debugging on the ASA and upload for review. Sat, 18 Jan 2020 17:16:18 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013959#M23115 Rob Ingram 2020-01-18T17:16:18Z https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013974#M23116 <P><SPAN>So is that trustpoint enabled for ssl? &nbsp;Yes</SPAN></P><P><BR /><SPAN>Do the ASA and User trust each others certificate? &nbsp;Yes</SPAN></P><P><BR /><SPAN>So you have a computer certificate that works but it's just the user certificate that does not work? Yes</SPAN></P><P>&nbsp;</P><P><SPAN>I’ll get back to you on template differences</SPAN></P><P><SPAN>What is the difference in the certificate template used?</SPAN><BR /><SPAN>Enable debugging on the ASA and upload for review.</SPAN></P> Sat, 18 Jan 2020 17:53:36 GMT https://community.cisco.com/t5/network-security/anyconnect-via-client-certificates-questions/m-p/4013974#M23116 s1nsp4wn 2020-01-18T17:53:36Z