Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
2
Replies

Anyconnect Client SSL authentication with Windows CA

Go to solution
sanchezeldorado
Beginner
Beginner

‎12-07-2022 04:12 PM

Hello,

I have am using FMC and FTD version 7.2 and I have a working configuration using SAML authentication. I'm trying to add Certificate authentication, but I'm having a problem validating the certificate installed on my client machine. First a couple facts.

1. I have a windows CA that has pushed out computer certificates to all of my domain computers. 
2. In my remote access vpn config, I have installed a public certificate vpn.mydomain.com. 

I believe my problem is that the FTD is trying to match the public cert with my computer's private cert and giving me an error "Certificate Validation Failure". Is there a way to present the vpn.mydomain.com website with a public certificate while my clients use the private cert? I plan to add another connection profile for vendors and I don't want to require certificates for them. 

Thanks!
Andy

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-08-2022 12:48 AM

Hi @sanchezeldorado,

Yes, it is possible to use public CA signed certificate for your FTD devices, to identify FTD on the Internet, and at the same time to use private CA signed device certificate, to identify clients to your FTD. You can see config guide here.

Based on your error desciption, it looks to me like your FTD doesn't have private CA chain, so it can't validate client certificate, or client is not using private CA certificate to identify itself, so FTD doesn't trust offered one.

Kind regards,

Milos

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-08-2022 12:48 AM

Hi @sanchezeldorado,

Yes, it is possible to use public CA signed certificate for your FTD devices, to identify FTD on the Internet, and at the same time to use private CA signed device certificate, to identify clients to your FTD. You can see config guide here.

Based on your error desciption, it looks to me like your FTD doesn't have private CA chain, so it can't validate client certificate, or client is not using private CA certificate to identify itself, so FTD doesn't trust offered one.

Kind regards,

Milos

0 Helpful

Go to solution
sanchezeldorado
Beginner
Beginner
In response to Milos_Jovanovic

‎12-11-2022 07:05 AM

Thank you for the input. Unfortunately, it looks like I won't have the ability to get this configured. Have a good day!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents