cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
0
Helpful
1
Replies

Anyconnect Migration with Certs to FTD

NETAD
Level 4
Level 4

Hello, I attempted to migrate anyconnect from ASA to FTD. We currently authenticate users using certificates only. The certs are issue to domain machine via our internal PKI.  I exported the pkcs for the public cert and enrolled in FMC and that worked. I also installed the internal root CA cert in FMC under trusted CA's. When I go to connect it's giving an error with invalid cert found. What am I missing here. Does the FTD need a cert signed by my internal CA?

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Unfortunately user certificates are not currently among the supported authentication types for FTD-based remote access VPN.

This is the case as of the current 6.3 release.

Authentication, Authorization, and Accounting

  • Firepower Threat Defense device supports authentication of Remote Access VPN users using system-integrated authentication servers only, a local user database is not supported. RADIUS and LDAP/AD authentication are supported.

  • The LDAP/AD authorization and accounting are not supported for Remote Access VPN. Only RADIUS server groups can be configured as authorization or accounting servers in the Remote Access VPN configuration.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: