cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
907
Views
0
Helpful
2
Replies

ASA + AnyConnect + CA Certificate authentication + Untrusted Servers

Alisson C
Level 1
Level 1

Hello Everyone.

I'm willing to clarify a question about the ASA and their trustpoints/certificates.

 

So far, i have successfully configured AnyConnect client to authenticate from both Ldap usernames+password and Machine certificates. For that, I have a Microsoft internal CA in place to provide a certificate to every computer in my domain.

 

To achieve that, I had to configure a trustpoint, add the CA chain, and add the Identity certificate for ASA on that trustpoint. This trustpoint is bound to the Outside interface, where my valid IP is configured and theclients connect to the VPN.

Also, I noticed that there is no "Untrusted server" warning for my internal clients when they try to connect to VPN, because they can trust the ASA Certificate, since the CA who issued the ASA's certificate is common for everyone.

My problem is that I have a few hundred of external clients, partners and service providers, who will also make use of this VPN.

Some of their computers are not in our domain, so they will not trust the certificate that is bound to the trustpoint.

And so, the "Untrusted VPN server" message will be displayed to them, and they will need to manually disable the "block the connection to untrusted servers" option.

I do have a valid certificate that I can install on ASA, provided by an external CA.

 

Is it possible to install both certificates so that the external partners can also trust my server, and I can still use my internal certificate to authenticate domain computer? Is there a way to configure both certificates on the ASA?

 

Thanks in advance

2 Replies 2

rvarelac
Level 7
Level 7

Hi Alisson, 

Unfortunately only one SSL certificate is allowed per interface , then you can't have both active on the same interface. 

Alternative you can create a new profile for the external clients , but use IKEv2 instead SSL on this new profile.  The domain users will continue using the  existing certificate , and the users on this new profile will  use the certificate specified with the command "crypto ikev2 remote-access trustpoint <trustpoint name>

 

See an example of the configuration below :

https://supportforums.cisco.com/document/74111/asa-anyconnect-ikev2-configuration-example

 

Hope it helps

-Randy-

nvassallo
Level 1
Level 1

Hi, did you solve you issue without creating another profile?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: