cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
2
Replies

Anyconnect Client SSL authentication with Windows CA

sanchezeldorado
Beginner
Beginner

Hello,

I have am using FMC and FTD version 7.2 and I have a working configuration using SAML authentication. I'm trying to add Certificate authentication, but I'm having a problem validating the certificate installed on my client machine. First a couple facts.

1. I have a windows CA that has pushed out computer certificates to all of my domain computers. 
2. In my remote access vpn config, I have installed a public certificate vpn.mydomain.com. 

I believe my problem is that the FTD is trying to match the public cert with my computer's private cert and giving me an error "Certificate Validation Failure". Is there a way to present the vpn.mydomain.com website with a public certificate while my clients use the private cert? I plan to add another connection profile for vendors and I don't want to require certificates for them. 

Thanks!
Andy

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @sanchezeldorado,

Yes, it is possible to use public CA signed certificate for your FTD devices, to identify FTD on the Internet, and at the same time to use private CA signed device certificate, to identify clients to your FTD. You can see config guide here.

Based on your error desciption, it looks to me like your FTD doesn't have private CA chain, so it can't validate client certificate, or client is not using private CA certificate to identify itself, so FTD doesn't trust offered one.

Kind regards,

Milos

View solution in original post

2 Replies 2

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @sanchezeldorado,

Yes, it is possible to use public CA signed certificate for your FTD devices, to identify FTD on the Internet, and at the same time to use private CA signed device certificate, to identify clients to your FTD. You can see config guide here.

Based on your error desciption, it looks to me like your FTD doesn't have private CA chain, so it can't validate client certificate, or client is not using private CA certificate to identify itself, so FTD doesn't trust offered one.

Kind regards,

Milos

Thank you for the input. Unfortunately, it looks like I won't have the ability to get this configured. Have a good day!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: