02-16-2024 01:08 PM
I've got a Azure certificate expiring and cannot for the life of me find resources to renew this certificate. Ideally I'd love to do it through ASDM since that is more comfortable for me but I haven't found a single reference to renewing the certificate on the Cisco side of things. Microsoft has a dozen articles about setting up Azure for MFA and I see plenty to set up the initial trustpoint, etc but nothing about renewing it.
Azure offers XML, Raw, Base64, and PEM for file types but I'm getting errors with every attempt.
Anyone have experience with this!?
02-17-2024 11:09 AM
how have you integrated Azure MFA ? using SAML or some other method?
If using SAML you could just add the certificate using the certificate management page in ASDM and then update the trustpoint in either CLI or go under the connection profile and edit the SAML configuration there.
02-23-2024 11:28 AM
This is my question and with the help of a few others I've got an answer.
This CANNOT be done using ASDM as the no ca-check isn't an option on ASDM. The linked article is helpful enough for the initial configuration or if you've got experience with the ASA CLI but far less if you're an infrequent ASA CLI user. It is lacking information and explanation for when eventually you have to renew your Azure MFA certificate.
This article talks about how to do the initial AnyConnect setup SAML with Azure MFA. To renew we're going to follow some of the steps and ignore others. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
Important Notes:
Step 1: Follow article but use different name for new trustpoint
My-firewall# config t
My-firewall(config)# crypto ca trustpoint [NEW_NAME]
My-firewall(config-ca-trustpoint)# revocation-check none
My-firewall(config-ca-trustpoint)# no id-usage
My-firewall(config-ca-trustpoint)# enrollment terminal
My-firewall(config-ca-trustpoint)# no ca-check
My-firewall(config-ca-trustpoint)# crypto ca authenticate [NEW_NAME]
-----BEGIN CERTIFICATE-----
[Enter the base 64 encoded CA certificate.] (What you downloaded from the Azure SSO config page)
-----END CERTIFICATE-----
quit (Required to end with the word "quit" on a line by itself)
Step 2: You only need some of these steps for renewal because the rest should not have changed.
My-firewall(config)# webvpn
My-firewall(config-webvpn)# saml idp [https://sts.windows.net/blah,blah,blah]
This doesn't change but you need it to get to the correct submenu.
My-firewall(config-webvpn-saml-idp)# no trustpoint idp AzureAD-AC-SAML
Removes previous trustpoint.
You will see: WARNING: SAML IdP has been associated to a tunnel-group, please re-applythe SAML IdP to the tunnel-group to update modified configuration. You MUST remove and re-apply the SAML IdP to the tunnel-group in Step 3.
My-firewall(config-webvpn-saml-idp)# trustpoint idp [NEW_NAME]
Applies newly created Trustpoint.
Step 3: Remove and re-apply saml idp (it DOES NOT CHANGE) to your tunnel-group
My-firewall(config-webvpn-saml-idp)# tunnel-group [Mytunnelgroup] webvpn-attributes
My-firewall(config-tunnel-webvpn)# no saml identity-provider [https://sts.windows.net/blah,blah,blah]
Removes previous SAML association.
My-firewall(config-tunnel-webvpn)# saml identity-provider [https://sts.windows.net/blah,blah,blah]
Re-applies SAML association
My-firewall(config-tunnel-webvpn)# wr mem
08-05-2024 07:38 AM
Great summary Meg, very well done! One thing I will add to this is for Step #2. Under the webvpn config, make certain that your trustpoint sp is pointing to the proper name of the associated trustpoint being used by your ASA's external interface. If not, you will end up with an error in Step 3 when you try to re-apply the identity provider. What is interesting, is that as long as you don't reapply the identity provider, you will still have a working environment with a DOA trustpoint sp.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide