03-12-2024 09:17 AM
Hello,
Ilm attempting to set up 2 MFA for Cisco AnyConnect VPN with Microsoft Azure. However, when I download the certificate from Microsoft and import it to the ASA, I receive an error message stating "trustpoint is not enrolled.
I have Cisco ASA 5506-x
ASA version:9.16(4) and ASDM 7.19 and AnyConnect version: 4.10
Here is the command I use:
crypto ca trustpoint AzureAD-AC-SAML
revocation-check none
no id-usage
enrollment terminal
no ca-check
crypto ca authenticate AzureAD-AC-SAML
-----BEGIN CERTIFICATE-----
******
-----END CERTIFICATE-----
quit
webvpn
saml idp https://*********
url sign-in https://********
url sign-out https://******
trustpoint idp AzureAD-AC-SAML
trustpoint sp AzureAD-AC-SAML
no force re-authentication
no signature
base-url https://*******
After this command "trustpoint sp AzureAD-AC-SAML " I got error and said that trustpoint is not enrolled, Please enroll trustpoint !!!
How can I resolve this issue? Thanks
Solved! Go to Solution.
03-12-2024 09:53 AM
@TAC-itsupport yes, typically this would be a public CA signed certificate to avoid certificate errors, but it could be signed by your internal CA such as Windows Server CA.
03-12-2024 09:32 AM
@TAC-itsupport the SP certificate trustpoint should be the existing identity certificate trustpoint used for remote access VPN connections, not the Azure IDP certificate (AzureAD-AC-SAML).
03-12-2024 09:50 AM
Thank you Rob,
I don't have any identity certificate! so should I create new one and use it for SP certificate?
03-12-2024 09:53 AM
@TAC-itsupport yes, typically this would be a public CA signed certificate to avoid certificate errors, but it could be signed by your internal CA such as Windows Server CA.
03-12-2024 10:04 AM
Thank you Rob.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide