AnyConnect VPN Azure MFA Certificate Renewal via ASDM Help Request

Meg Cochran · ‎02-16-2024

I've got a Azure certificate expiring and cannot for the life of me find resources to renew this certificate. Ideally I'd love to do it through ASDM since that is more comfortable for me but I haven't found a single reference to renewing the certificate on the Cisco side of things. Microsoft has a dozen articles about setting up Azure for MFA and I see plenty to set up the initial trustpoint, etc but nothing about renewing it.

Azure offers XML, Raw, Base64, and PEM for file types but I'm getting errors with every attempt.

Anyone have experience with this!?

Marius Gunnerud · ‎02-17-2024

how have you integrated Azure MFA ? using SAML or some other method?

If using SAML you could just add the certificate using the certificate management page in ASDM and then update the trustpoint in either CLI or go under the connection profile and edit the SAML configuration there.

--
Please remember to select a correct answer and rate helpful posts

Meg Cochran · ‎02-23-2024

This is my question and with the help of a few others I've got an answer.

This CANNOT be done using ASDM as the no ca-check isn't an option on ASDM. The linked article is helpful enough for the initial configuration or if you've got experience with the ASA CLI but far less if you're an infrequent ASA CLI user. It is lacking information and explanation for when eventually you have to renew your Azure MFA certificate.

This article talks about how to do the initial AnyConnect setup SAML with Azure MFA. To renew we're going to follow some of the steps and ignore others. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Important Notes:

Even if step 1 fails you've definitely made a trustpoint that needs to be cleaned up.
PEM Certificate = Base 64.
config-webvpn, config-webvpn-saml-idp, and config-tunnel-webvpn are all sub-menus.
The wording that needs to change is in brackets []. Additional explanations are in italics.

Step 1: Follow article but use different name for new trustpoint

My-firewall# config t

My-firewall(config)# crypto ca trustpoint [NEW_NAME]

My-firewall(config-ca-trustpoint)# revocation-check none

My-firewall(config-ca-trustpoint)# no id-usage

My-firewall(config-ca-trustpoint)# enrollment terminal

My-firewall(config-ca-trustpoint)# no ca-check

My-firewall(config-ca-trustpoint)# crypto ca authenticate [NEW_NAME]

-----BEGIN CERTIFICATE-----

[Enter the base 64 encoded CA certificate.] (What you downloaded from the Azure SSO config page)

-----END CERTIFICATE-----

quit (Required to end with the word "quit" on a line by itself)

Step 2: You only need some of these steps for renewal because the rest should not have changed.

My-firewall(config)# webvpn

My-firewall(config-webvpn)# saml idp [https://sts.windows.net/blah,blah,blah]

This doesn't change but you need it to get to the correct submenu.

My-firewall(config-webvpn-saml-idp)# no trustpoint idp AzureAD-AC-SAML

Removes previous trustpoint.

You will see: WARNING: SAML IdP has been associated to a tunnel-group, please re-applythe SAML IdP to the tunnel-group to update modified configuration. You MUST remove and re-apply the SAML IdP to the tunnel-group in Step 3.

My-firewall(config-webvpn-saml-idp)# trustpoint idp [NEW_NAME]

Applies newly created Trustpoint.

Step 3: Remove and re-apply saml idp (it DOES NOT CHANGE) to your tunnel-group

My-firewall(config-webvpn-saml-idp)# tunnel-group [Mytunnelgroup] webvpn-attributes

My-firewall(config-tunnel-webvpn)# no saml identity-provider [https://sts.windows.net/blah,blah,blah]

Removes previous SAML association.

My-firewall(config-tunnel-webvpn)# saml identity-provider [https://sts.windows.net/blah,blah,blah]

Re-applies SAML association

My-firewall(config-tunnel-webvpn)# wr mem