cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14562
Views
20
Helpful
4
Replies

ASA ASDM SSL Certificate validation failure

taysandman
Level 1
Level 1

Recently updated a ASA 5505.  Now running into ASDM certificate validation failure.  Also browser returns 401 unauthorized.

After some troubleshooting I determined that " no http authentication-certificate inside" would allow ASDM to function correctly.

Have another ASA self signed cert on outside which is functioning fine for anyconnect SSL/IPsec VPN.

Followed instructions at:  http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html but still requires certificate auth to be disabled.

 

ASA843 and ASDM-674 did not experience this behavior.

I'm not understanding the command " no http authentication-certificate inside" or ASDM certificate authentication itself.

 

Will ASA self signed cert not work if this command enabled?

Appreciate any help.  Thank you.

 

Info

Java 1.7.0_45 with ASDM certificated added

Certificate also added to win7 trusted root

 

---------------------------

boot system disk0:/asa916-k8.bin

asdm image disk0:/asdm-731-101.bin

 

aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable *****
http server idle-timeout 60
http ***** 255.255.255.255 inside
http ******* 255.255.255.0 inside

 

crypto ca trustpoint ANYCONNECT
 enrollment self
 subject-name CN=Here
 keypair ANYCONNECT
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=(*ASA INSIDE IP*)
 keypair ASDM
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca server
 shutdown
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ANYCONNECT
 certificate ******
    ******
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate  ******
     ******
  quit

management-access inside

ssl encryption aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ANYCONNECT outside

 

 

 

 

4 Replies 4

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

To be clear , Identity cert process is only needed for because of the changes after Java Update 7 51.

I think as the login works after removing Certificate Auth on the interface resolves the issue , it seems to be related to the certificate auth itself.

Thanks and Regards,

Vibhor Amrodia

Thank you.

So the clarification was here:

https://supportforums.cisco.com/discussion/12425591/require-client-certificate-access-asdm-following-interfaces

"Client certificates are a totally separate issue. That's typically only used when you have a PKI and are using the certificates issued to a client as a form of authentication and/or authorization"

 

My confusion came from the fact the  ASA915 upgrade automatically enabled client cert auth requirement which wasn't enabled in my ASA843 config. 

 

 

Thank You VERY much...

no http authentication-certificate inside fixed the issue for me.

I had to use an old ASA 5506-X to recover from the failure of an ASA 5508-X apparently affected by the time bug, the darn thing died in the middle of the night, this morning around 5:30 am I had to scramble to get the retail location Internet access working as the store was opening to the public at 6 am.

Anyway, the command no http authentication-certificate inside did work for me.

 

Thank you!

Review Cisco Networking for a $25 gift card