cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4819
Views
0
Helpful
34
Replies

Anyconnect Client VPN authentication

adamgibs7
Level 6
Level 6

Dears,

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc7

 

I m following the above link for anyconnect client vpn double authentication, but the documents is not clear to me so how the double authentication occurs I have mentioned in below steps please correct me if I'm not wrong.

 

Each user has to generate a signing request from his windows PC ,,  the CSR has to signed by the CA and CA Root certificate has to be available as a trustpoint in the ASA to authenticate, but I don’t find any configuration of trustpoint mapping configuration for the tunnel-group which I created becz I don’t want default certificate authentication for all tunnel groups. Also I have one more question here , the user certificate that was signed by CA can be used with multiple users ??? I hope it should not but how each user will be unique from others if they are authenticating by the certificate as an double authentication.

 

Thanks

 

 

 

34 Replies 34

Dear

Please find the attached logs for the certificate authentication failure.

Thanks

Error: CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 

 

What is the output from the command show crypto ca certificates?

Dear RJI

FW(config)# sh crypto ca trustpoints

Trustpoint self:
    Configured for self-signed certificate generation.

Trustpoint GS_Intermediate:
    Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: 040000000001444ef04247
    Certificate configured.


Trustpoint SSL_VPN:
    Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: 040000000001444ef04247
    Certificate configured.

 



ASAFW(config)# sh crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 399b2171ccad01c3c98414f0
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
  Subject Name:
    cn=1.1.1.1
    o=xyz
    ou=IT
    l=mazga
    st=maharash
    c=IN
  Validity Date:
    start date: 15:57:07 GMT Mar 21 2018
    end   date: 13:46:04 GMT Mar 21 2020
  Storage: config
  Associated Trustpoints: SSL_VPN

CA Certificate
  Status: Available
  Certificate Serial Number: 040000000001444ef04247
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name:
    cn=GlobalSign Root CA
    ou=Root CA
    o=GlobalSign nv-sa
    c=BE
  Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
  OCSP AIA:
    URL: http://ocsp.globalsign.com/rootr1
  CRL Distribution Points:
    [1]  http://crl.globalsign.net/root.crl
  Validity Date:
    start date: 14:00:00 GMT Feb 20 2014
    end   date: 14:00:00 GMT Feb 20 2024
  Storage: config
  Associated Trustpoints: SSL_VPN GS_Intermediate ASDM_TrustPoint0

 

Please clear one point for me,

i have generated a csr from windows 10 and get it signed by GS CA, while creating the csr i have mentioned only the username of the user and key modulus of 2048 nothing apart from that,

 

I am asking u from previous post something is not clear for me is on basis of what user certificate will be authenticated to the trustpoint , but at present  we are not hitting to the trustpoint, is it so that i have to keep The IKEv2 and SSL trustpoints to be the same

 

thanks

It looks like the windows client certificate is issued from a different globalsign CA - issuer name: cn=GlobalSign PersonalSign 2 CA - SHA256 - G3 - Staging

 

Which is not the same CA as on your ASA, therefore trustpoint is not matching.

 

I don't understand you other question??

this is what i wanted to tell u that when i created the csr from the windows client i mentioned the cn as a username and not the GS as a CN,

 

I don't understand you other question??

i will try to make simple when creating csr from windows 10 pc what attributes i have to fill to match

 

Thanks

The attributes you specify in the CSR are one thing, but currently the windows client and the ASA are using certificates issued by different Globalsign CA's. The ASA doesn't know about the GlobalSign PersonalSign 2 CA, that's your problem.

Try creating another trustpoint for the GlobalSign PersonalSign 2 CA on the ASA and authenticating it (importing that CA's root certs).

Dear RJI

thanks for clarifying will ask the ca to issue with the same root ca.

 

for eample cn,ou,company all will be same in Windows csr generation for corporate user than any user can install any user certificate to authenticate himself or his pc, so what will be the unique for the user to authenticate by the certificate

 

I m not expert in certificates that’s y I m asking u this questions

 

If I understand your question correctly. The certificate used on the windows client will need a unique CN per user to identify the client authenticating. The OU and Company etc can be the same value

lets assume user A generated a csr by CN=userA and user B also generated a csr by CN=userB,

then these csr will be given to ca for the signing and then CA will give back to us certificate one for user A and one for user B ,

 

now the question is,  these unique CN=userA and user B how these are authenticated/identified on the trustpoint,?? how  trustpoint identifies them that now the userA has arrived for the authentication ?? and in asa we cant create a trustpoint for each user it is not a logic to create for all users of corporate ??? or the trustpoint just decrypts with public key the identity certificate of the PC,

 

May be I m not able to explain my question but in simple words can u write for me the steps how PC/user gets authenticate by his identity to the trustpoint

 

As per the attached example it shows how it works with site to site vpn certificate authentication

 

Trustpoint is just a container to hold identity and (or) a CA certificate. The trustpoint itself has no role in authenticating the user cert. When you add a CA certificate into the ASA, this has to be done via a trustpoint. Adding a CA cert on the ASA also means that this is a trusted CA. So when a user tries to authenticate, the ASA locates if the CA certificate is located in any one of the trustpoints. Once it finds the right CA certificate, it validates that the client cert has been issued by the CA (decrypt signature with CA public key, hash cert, compare). If this passes, along with the validity and revocation checks, the client cert has been authenticated.

 

From your last post, it looks like you want to be able to tie the user to the certificate ( userA cert has been sent by userA and not userB). This can only be done if you add another step in authentication where you pick a field from certificate (subject-name), use this the username for AAA authentication, and have the user authenticate with his own AD or backend AAA password. This means that only userA can send his/her cert and authenticate successfully. Hope this makes sense. 

Dear Rahul,

 

From your last post, it looks like you want to be able to tie the user to the certificate ( userA cert has been sent by userA and not userB). This can only be done if you add another step in authentication where you pick a field from certificate (subject-name), use this the username for AAA authentication, and have the user authenticate with his own AD or backend AAA password. This means that only userA can send his/her cert and authenticate successfully. Hope this makes sense. 

 

How the above is  achievable ? I have an ISE server, how to do the above,

 

thanks

Very similar guide below:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc13

 

Only difference in the guide is that is has double AAA authentication. Your ASA config would look something like this:

 

tunnel-group RA general-attributes
authentication-server-group ISE
 default-group-policy Group1
 authorization-required
 username-from-certificate CN
tunnel-group RA webvpn-attributes
 authentication aaa certificate
 pre-fill-username ssl-client
 group-alias RA enable

 The above picks up the CN name from your cert and and adds it in the username section. User enters the password and that is sent to ISE for authentication and authorization. 

 

ISE is just standard policy to authenticate back to AD and make group based Authorization decisions.

thanks for the reply I really appreciate to make me understand the concept,

 

till today Global Sign CA is not understanding which type of certificate they should give me for anyconnect client  remote  access vpn, can u guide me which type of cert I shld ask them,

 

I have from Global Sign a IP SSL certificate for my public ip which is not working for my anyconnect vpn as per the conversation above " the trustpoint not matching" ,

 

can you help me which type of certificate I shld GS for the ASA and client to get authenticate for remote access vpn.

 

Thanks

You just need a domain validated cert from the GlobalSign CA.  https://www.globalsign.com/en/ssl/domain-ssl/

 

Your cert should ideally be issued to the FQDN that the clients will be using, for example: https://vpn[dot]domain[dot]com

 

An example document with GoDaddy CA is below, the same steps should hold for any CA.

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

Dear Rahul

Excellent

for Domain SSL certificate my ISP have to a publish a DNS entry https://remotevpn.xyz.com for my public ip instead of name users we are using https://<ip address> to reach to the ASA.

 

Now the next step to success is the User signed certificate,,

 

for signing the user certificate I have to generate a CSR from windows 10 PC and i have to handover the csr to global sign for signing  please correct me if I'm not wrong ????

 

now the global sign should signed the user CSR by what they are not understanding me they are signing by alternate global sign root  CA and in the connection logs which i send it is failing to match the trustpoint , so they should signed the user CSR by the same global sign root ca name which they issued to me for my public ip ( domain ssl certificate)

 

Please correct me if the above explanation is not correct. 

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: