AnyConnect Via Client Certificates - Questions

s1nsp4wn · ‎01-18-2020

Rob Ingram · ‎01-18-2020

Hi,
Yes it's possible to authenticate to ASA using certificates only and just send authorisation to ISE.

The AnyConnect user must have a certificate that is mutually trusted by the ASA. The ASA would usually have an identity certificate issued by an internal CA, which is the same CA that issued the user certificate.

HTH

s1nsp4wn · ‎01-18-2020

What would the ASA cli config look like? Should I remove authentication myiseserver from tunnel group? Also I have my internal root and intermediate in CA on the ASA already but it will not accept the computer client cert I have with error:

File: CTransportWinHttp.cpp

Line: 1255

Invoked Function: HttpSendRequest

Return Code: 12186 (0x00002F9A)

Description: The client certificate credentials were not recognized.

********************************************************

Function: ConnectIfc::TranslateStatusCode

File: ConnectIfc.cpp

Line: 3157

Invoked Function: ConnectIfc::TranslateStatusCode

Return Code: -29949918 (0xFE370022)

Description: CTRANSPORT_ERROR_USER_CERT

Internal Error (client certificate error).

Rob Ingram · ‎01-18-2020

You need to use a user certificate

s1nsp4wn · ‎01-18-2020

Error above is from a user cert. I have a machine cert that doesn’t get this error.

Rob Ingram · ‎01-18-2020

Configuration below from my lab, which successfully authenticates the user to the ASA using certificates and passes the CN to ISE for authorisation.

aaa-server ISE protocol radius
 authorize-only
 interim-accounting-update periodic 24
 dynamic-authorization
aaa-server ISE (INSIDE) host 192.168.10.10
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****

tunnel-group TG-1 general-attributes
 authorization-server-group ISE
tunnel-group TG-1 webvpn-attributes
 authentication certificate
 group-alias TG-1 enable

crypto ca trustpoint LAB_PKI
 enrollment terminal
 fqdn asa-1.lab.net
 subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
 keypair VPN_KEY
 crl configure

ssl trust-point LAB_PKI OUTSIDE

The identity certificate on the ASA trustpoint LAB_PKI is signed by the same Internal CA that issued the user certificate on my computer.

Provide your configuration if you still have issues, errors without context make it harder to troubleshoot.

HTH

s1nsp4wn · ‎01-18-2020

keys, hostnames, addresses etc removed:

tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group test
authorization-server-group test
accounting-server-group test
default-group-policy test
authorization-required
tunnel-group test webvpn-attributes
authentication aaa certificate
group-url https://fqdn/test enable
!

aaa-server test protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server test (INSIDE) host mypriserver
authentication-port 1812
accounting-port 1813
raaa-server test (INSIDE) host mysecserver
authentication-port 1812
accounting-port 1813

!

aaa-server test protocol radius
aaa-server test (INSIDE) host mypriserver
authentication-port 1812
accounting-port 1813

!

crypto ca trustpoint root
enrollment terminal
crl configure
crypto ca trustpoint intermediate
enrollment terminal
crl configure
(two trust points because I could not combine my root and intermediate into one cert)

Rob Ingram · ‎01-18-2020

So is that trustpoint enabled for ssl?
Do the ASA and User trust each others certificate?
So you have a computer certificate that works but it's just the user certificate that does not work? What is the difference in the certificate template used?
Enable debugging on the ASA and upload for review.

s1nsp4wn · ‎01-18-2020

So is that trustpoint enabled for ssl? Yes

Do the ASA and User trust each others certificate? Yes

So you have a computer certificate that works but it's just the user certificate that does not work? Yes

I’ll get back to you on template differences

What is the difference in the certificate template used?
Enable debugging on the ASA and upload for review.