Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12599
Views
20
Helpful
4
Replies

ASA ASDM SSL Certificate validation failure

taysandman
Level 1
Level 1

‎03-25-2015 04:39 PM - edited ‎03-11-2019 10:42 PM

Recently updated a ASA 5505.  Now running into ASDM certificate validation failure.  Also browser returns 401 unauthorized.

After some troubleshooting I determined that " no http authentication-certificate inside" would allow ASDM to function correctly.

Have another ASA self signed cert on outside which is functioning fine for anyconnect SSL/IPsec VPN.

Followed instructions at:  http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html but still requires certificate auth to be disabled.

 

ASA843 and ASDM-674 did not experience this behavior.

I'm not understanding the command " no http authentication-certificate inside" or ASDM certificate authentication itself.

 

Will ASA self signed cert not work if this command enabled?

Appreciate any help.  Thank you.

 

Info

Java 1.7.0_45 with ASDM certificated added

Certificate also added to win7 trusted root

 

---------------------------

boot system disk0:/asa916-k8.bin

asdm image disk0:/asdm-731-101.bin

 

aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable *****
http server idle-timeout 60
http ***** 255.255.255.255 inside
http ******* 255.255.255.0 inside

 

crypto ca trustpoint ANYCONNECT
 enrollment self
 subject-name CN=Here
 keypair ANYCONNECT
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=(*ASA INSIDE IP*)
 keypair ASDM
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca server
 shutdown
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ANYCONNECT
 certificate ******
    ******
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate  ******
     ******
  quit

management-access inside

ssl encryption aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ANYCONNECT outside

 

 

 

 

Labels:
0 Helpful
4 Replies 4

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎03-25-2015 08:46 PM

Hi,

To be clear , Identity cert process is only needed for because of the changes after Java Update 7 51.

I think as the login works after removing Certificate Auth on the interface resolves the issue , it seems to be related to the certificate auth itself.

Thanks and Regards,

Vibhor Amrodia

taysandman
Level 1
Level 1
In response to Vibhor Amrodia

‎03-26-2015 07:26 PM

Thank you.

So the clarification was here:

https://supportforums.cisco.com/discussion/12425591/require-client-certificate-access-asdm-following-interfaces

"Client certificates are a totally separate issue. That's typically only used when you have a PKI and are using the certificates issued to a client as a form of authentication and/or authorization"

 

My confusion came from the fact the  ASA915 upgrade automatically enabled client cert auth requirement which wasn't enabled in my ASA843 config. 

 

 

0 Helpful

mattmyers
Level 1
Level 1
In response to Vibhor Amrodia

‎07-15-2016 04:22 PM

Thank You VERY much...

no http authentication-certificate inside fixed the issue for me.

FFIAdministrator
Level 1
Level 1
In response to mattmyers

‎11-29-2019 01:38 PM

I had to use an old ASA 5506-X to recover from the failure of an ASA 5508-X apparently affected by the time bug, the darn thing died in the middle of the night, this morning around 5:30 am I had to scramble to get the retail location Internet access working as the store was opening to the public at 6 am.

Anyway, the command no http authentication-certificate inside did work for me.

 

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card