03-25-2015 04:39 PM - edited 03-11-2019 10:42 PM
Recently updated a ASA 5505. Now running into ASDM certificate validation failure. Also browser returns 401 unauthorized.
After some troubleshooting I determined that " no http authentication-certificate inside" would allow ASDM to function correctly.
Have another ASA self signed cert on outside which is functioning fine for anyconnect SSL/IPsec VPN.
Followed instructions at: http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html but still requires certificate auth to be disabled.
ASA843 and ASDM-674 did not experience this behavior.
I'm not understanding the command " no http authentication-certificate inside" or ASDM certificate authentication itself.
Will ASA self signed cert not work if this command enabled?
Appreciate any help. Thank you.
Info
Java 1.7.0_45 with ASDM certificated added
Certificate also added to win7 trusted root
---------------------------
boot system disk0:/asa916-k8.bin
asdm image disk0:/asdm-731-101.bin
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable *****
http server idle-timeout 60
http ***** 255.255.255.255 inside
http ******* 255.255.255.0 inside
crypto ca trustpoint ANYCONNECT
enrollment self
subject-name CN=Here
keypair ANYCONNECT
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=(*ASA INSIDE IP*)
keypair ASDM
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ANYCONNECT
certificate ******
******
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ******
******
quit
management-access inside
ssl encryption aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ANYCONNECT outside
03-25-2015 08:46 PM
Hi,
To be clear , Identity cert process is only needed for because of the changes after Java Update 7 51.
I think as the login works after removing Certificate Auth on the interface resolves the issue , it seems to be related to the certificate auth itself.
Thanks and Regards,
Vibhor Amrodia
03-26-2015 07:26 PM
Thank you.
So the clarification was here:
https://supportforums.cisco.com/discussion/12425591/require-client-certificate-access-asdm-following-interfaces
"Client certificates are a totally separate issue. That's typically only used when you have a PKI and are using the certificates issued to a client as a form of authentication and/or authorization"
My confusion came from the fact the ASA915 upgrade automatically enabled client cert auth requirement which wasn't enabled in my ASA843 config.
07-15-2016 04:22 PM
Thank You VERY much...
no http authentication-certificate inside fixed the issue for me.
11-29-2019 01:38 PM
I had to use an old ASA 5506-X to recover from the failure of an ASA 5508-X apparently affected by the time bug, the darn thing died in the middle of the night, this morning around 5:30 am I had to scramble to get the retail location Internet access working as the store was opening to the public at 6 am.
Anyway, the command no http authentication-certificate inside did work for me.
Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: