03-25-2015 04:39 PM - edited 03-11-2019 10:42 PM
Recently updated a ASA 5505. Now running into ASDM certificate validation failure. Also browser returns 401 unauthorized.
After some troubleshooting I determined that " no http authentication-certificate inside" would allow ASDM to function correctly.
Have another ASA self signed cert on outside which is functioning fine for anyconnect SSL/IPsec VPN.
Followed instructions at: http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html but still requires certificate auth to be disabled.
ASA843 and ASDM-674 did not experience this behavior.
I'm not understanding the command " no http authentication-certificate inside" or ASDM certificate authentication itself.
Will ASA self signed cert not work if this command enabled?
Appreciate any help. Thank you.
Info
Java 1.7.0_45 with ASDM certificated added
Certificate also added to win7 trusted root
---------------------------
boot system disk0:/asa916-k8.bin
asdm image disk0:/asdm-731-101.bin
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable *****
http server idle-timeout 60
http ***** 255.255.255.255 inside
http ******* 255.255.255.0 inside
crypto ca trustpoint ANYCONNECT
enrollment self
subject-name CN=Here
keypair ANYCONNECT
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=(*ASA INSIDE IP*)
keypair ASDM
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ANYCONNECT
certificate ******
******
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ******
******
quit
management-access inside
ssl encryption aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ANYCONNECT outside
03-25-2015 08:46 PM
Hi,
To be clear , Identity cert process is only needed for because of the changes after Java Update 7 51.
I think as the login works after removing Certificate Auth on the interface resolves the issue , it seems to be related to the certificate auth itself.
Thanks and Regards,
Vibhor Amrodia
03-26-2015 07:26 PM
Thank you.
So the clarification was here:
https://supportforums.cisco.com/discussion/12425591/require-client-certificate-access-asdm-following-interfaces
"Client certificates are a totally separate issue. That's typically only used when you have a PKI and are using the certificates issued to a client as a form of authentication and/or authorization"
My confusion came from the fact the ASA915 upgrade automatically enabled client cert auth requirement which wasn't enabled in my ASA843 config.
07-15-2016 04:22 PM
Thank You VERY much...
no http authentication-certificate inside fixed the issue for me.
11-29-2019 01:38 PM
I had to use an old ASA 5506-X to recover from the failure of an ASA 5508-X apparently affected by the time bug, the darn thing died in the middle of the night, this morning around 5:30 am I had to scramble to get the retail location Internet access working as the store was opening to the public at 6 am.
Anyway, the command no http authentication-certificate inside did work for me.
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide