01-18-2020 06:36 AM - edited 01-21-2020 12:30 PM
01-18-2020 06:50 AM
01-18-2020 07:55 AM
What would the ASA cli config look like? Should I remove authentication myiseserver from tunnel group? Also I have my internal root and intermediate in CA on the ASA already but it will not accept the computer client cert I have with error:
File: CTransportWinHttp.cpp
Line: 1255
Invoked Function: HttpSendRequest
Return Code: 12186 (0x00002F9A)
Description: The client certificate credentials were not recognized.
********************************************************
Function: ConnectIfc::TranslateStatusCode
File: ConnectIfc.cpp
Line: 3157
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -29949918 (0xFE370022)
Description: CTRANSPORT_ERROR_USER_CERT
Internal Error (client certificate error).
01-18-2020 08:01 AM
01-18-2020 08:15 AM
Error above is from a user cert. I have a machine cert that doesn’t get this error.
01-18-2020 08:25 AM
Configuration below from my lab, which successfully authenticates the user to the ASA using certificates and passes the CN to ISE for authorisation.
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (INSIDE) host 192.168.10.10
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
tunnel-group TG-1 general-attributes
authorization-server-group ISE
tunnel-group TG-1 webvpn-attributes
authentication certificate
group-alias TG-1 enable
crypto ca trustpoint LAB_PKI
enrollment terminal
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
crl configure
ssl trust-point LAB_PKI OUTSIDE
The identity certificate on the ASA trustpoint LAB_PKI is signed by the same Internal CA that issued the user certificate on my computer.
Provide your configuration if you still have issues, errors without context make it harder to troubleshoot.
HTH
01-18-2020 09:00 AM
keys, hostnames, addresses etc removed:
tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group test
authorization-server-group test
accounting-server-group test
default-group-policy test
authorization-required
tunnel-group test webvpn-attributes
authentication aaa certificate
group-url https://fqdn/test enable
!
aaa-server test protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server test (INSIDE) host mypriserver
authentication-port 1812
accounting-port 1813
raaa-server test (INSIDE) host mysecserver
authentication-port 1812
accounting-port 1813
!
aaa-server test protocol radius
aaa-server test (INSIDE) host mypriserver
authentication-port 1812
accounting-port 1813
!
crypto ca trustpoint root
enrollment terminal
crl configure
crypto ca trustpoint intermediate
enrollment terminal
crl configure
(two trust points because I could not combine my root and intermediate into one cert)
01-18-2020 09:16 AM
01-18-2020 09:53 AM
So is that trustpoint enabled for ssl? Yes
Do the ASA and User trust each others certificate? Yes
So you have a computer certificate that works but it's just the user certificate that does not work? Yes
I’ll get back to you on template differences
What is the difference in the certificate template used?
Enable debugging on the ASA and upload for review.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide