Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
4
Replies

2 MFA for Cisco AnyConnect VPN with Microsoft Azure

Go to solution
TAC-itsupport
Level 1
Level 1

‎03-12-2024 09:17 AM

Hello,

Ilm attempting to set up 2 MFA for Cisco AnyConnect VPN with Microsoft Azure. However, when I download the certificate from Microsoft and import it to the ASA, I receive an error message stating "trustpoint is not enrolled.

I have Cisco ASA 5506-x

ASA version:9.16(4) and ASDM 7.19 and AnyConnect version: 4.10

Here is the command I use:

crypto ca trustpoint AzureAD-AC-SAML
revocation-check none
no id-usage
enrollment terminal
no ca-check
crypto ca authenticate AzureAD-AC-SAML
-----BEGIN CERTIFICATE-----

******

-----END CERTIFICATE-----

quit

webvpn
saml idp https://*********
url sign-in https://********
url sign-out https://******
trustpoint idp AzureAD-AC-SAML
trustpoint sp AzureAD-AC-SAML
no force re-authentication
no signature
base-url https://*******

After this command "trustpoint sp AzureAD-AC-SAML " I got error and said that trustpoint is not enrolled, Please enroll trustpoint !!!

How can I resolve this issue? Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to TAC-itsupport

‎03-12-2024 09:53 AM

@TAC-itsupport yes, typically this would be a public CA signed certificate to avoid certificate errors, but it could be signed by your internal CA such as Windows Server CA.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-12-2024 09:32 AM

@TAC-itsupport the SP certificate trustpoint should be the existing identity certificate trustpoint used for remote access VPN connections, not the Azure IDP certificate (AzureAD-AC-SAML).

0 Helpful

Go to solution
TAC-itsupport
Level 1
Level 1
In response to Rob Ingram

‎03-12-2024 09:50 AM

Thank you Rob,

I don't have any identity certificate! so should I create new one and use it for SP certificate?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to TAC-itsupport

‎03-12-2024 09:53 AM

@TAC-itsupport yes, typically this would be a public CA signed certificate to avoid certificate errors, but it could be signed by your internal CA such as Windows Server CA.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

0 Helpful

Go to solution
TAC-itsupport
Level 1
Level 1

‎03-12-2024 10:04 AM

Thank you Rob.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card