02-03-2019 03:42 AM - edited 02-21-2020 08:44 AM
Hi,
In an attempt to setup Anyconnect to authenticate users by certificates instead of the more common username/password based
authentication, i have created my own CA and issued:
Both the Asa and the Client certificate are signed by, and correctly verifies against the root certificate.
In the identity cert for the Asa i have set the CN= to its outside ip address, as it does not have a fqdn set.
The client certificate also has it's CN= corresponding to its public ip
When attempting to connect to the vpn-gateway(Asa) from the client pc, the debug output looks like this:
I have also tried setting 'revocation-check none' under the trustpoint, without any result.
Any idea what i am missing?
02-03-2019 04:13 AM
Hi,
What is your ASA configuration in regard to the trustpoint and remote access VPN? Do you have the following configured?
ssl trust-point LAB_PKI OUTSIDE
crypto ikev2 remote-access trustpoint LAB_PKI
This reference describes how to use certificate authentication with AnyConnect RAVPN.
HTH
02-03-2019 11:23 AM
try re-importing your CA certificate.
02-03-2019 01:59 PM
My suspicion here is that Anyconnect barfs on the cn= being an ip address....
Let me know if this really is the case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide