https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793801#M7270 <P>My suspicion here is that Anyconnect barfs on the cn= being an ip address....</P><P>Let me know if this really is the case.</P> Sun, 03 Feb 2019 21:59:35 GMT Chewbakka1 2019-02-03T21:59:35Z https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793679#M7267 <P>Hi,</P><P>&nbsp;</P><P>In an attempt to setup Anyconnect to authenticate users by certificates instead of the more common username/password based</P><P>authentication, i have created my own CA and issued:</P><UL><LI>The root certificate</LI><LI>The ASA identity certificate</LI><LI>The client(pc) device certificate</LI></UL><P>Both the Asa and the Client certificate are signed by, and correctly verifies against the root certificate.</P><P>In the identity cert for the Asa i have set the CN= to its outside ip address, as it does not have a fqdn set.</P><P>The client certificate also has it's CN= corresponding to its public ip</P><P>&nbsp;</P><P>When attempting to connect to the vpn-gateway(Asa) from the client pc, the debug output looks like this:</P><H6>CRYPTO_PKI:check_key_usage: KeyUsage extension not found.<BR />CRYPTO_PKI: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2 acceptable for usage type: SSL VPN Peer<BR />CRYPTO_PKI:check_key_usage:Key Usage check OK<BR /><BR />CRYPTO_PKI: Certificate validation: Failed, status: 1838CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1838<BR />CRYPTO_PKI: PKI Verify Certificate error. No trust point found.</H6><H6>CRYPTO_PKI: Certificate not validated<BR />CERT_API: calling user callback=0x00007f9163cd4a70 with status=15(Verification Failure)</H6><P>&nbsp;</P><P>I have also tried setting 'revocation-check none' under the trustpoint, without any result.</P><P>Any idea what i am missing?</P> Fri, 21 Feb 2020 16:44:37 GMT https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793679#M7267 Chewbakka1 2020-02-21T16:44:37Z https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793696#M7268 <P>Hi,</P> <P>What is your ASA configuration in regard to the trustpoint and remote access VPN? Do you have the following configured?</P> <P>&nbsp;</P> <P><SPAN style="font-size: 10pt;"><EM>ssl trust-point LAB_PKI OUTSIDE</EM></SPAN></P> <P><SPAN style="font-size: 10pt;"><EM>crypto ikev2 remote-access trustpoint LAB_PKI</EM></SPAN></P> <P>&nbsp;</P> <P><A href="https://integratingit.wordpress.com/2018/03/11/ccnp-simos-asa-anyconnect-ikev2-ipsec-vpn/" target="_self">This</A> reference describes how to use certificate authentication with AnyConnect RAVPN.</P> <P>&nbsp;</P> <P>HTH</P> Sun, 03 Feb 2019 12:13:43 GMT https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793696#M7268 Rob Ingram 2019-02-03T12:13:43Z https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793764#M7269 <P>try re-importing your CA certificate.</P> Sun, 03 Feb 2019 19:23:29 GMT https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793764#M7269 Marius Gunnerud 2019-02-03T19:23:29Z https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793801#M7270 <P>My suspicion here is that Anyconnect barfs on the cn= being an ip address....</P><P>Let me know if this really is the case.</P> Sun, 03 Feb 2019 21:59:35 GMT https://community.cisco.com/t5/network-security/anyconnect-certificate-based-authentication-error-1838/m-p/3793801#M7270 Chewbakka1 2019-02-03T21:59:35Z