07-02-2024 01:04 AM
Hello,
on the old ASA FW I had ssl configuration for multiple domain... for VPN and Anyconnect use. If user wrote to Anyconnect vpn.domaina.example it matches correct certificate and Anyconnect client was without warning about untrusted certificate...
example:
ssl trust-point TRUSTPOINT-A domain vpn.domainA.example
ssl trust-point TRUSTPOINT-B domain vpn.domainB.example
etc.
Is it possible to do this on FMC/FTD? 7.2.5
I did not find it, I tried to look at flex config, maybe I miss something...
thanks.
07-02-2024 03:20 AM
can you more elaborate
MHM
07-02-2024 05:31 AM
it is simple...
how to move ASA config:
"ssl trust-point TRUSTPOINT-A domain vpn.domainA.example
ssl trust-point TRUSTPOINT-B domain vpn.domainB.example"
to FTD. That you have more domains (vpn domains/url) on same FTD with matching correct start (*) certificate (*.domain.xyz) to avoid that user will see warnings about untrusted site certificate if it does not match.
07-02-2024 05:57 AM
@Matus Kozak, are you sure that adding "domain" option to the "ssl trust-point" command solves untrusted certificate issue because ASA is able to choose correct trustpoint when client connects? How do you start connection, from the browser or right from the AnyConnect client?
I'm confused, because AnyConnect client doesn't support TLS SNI extension yet, which is a design bug CSCue35947 / CSCvh77602. So, if the client doesn't send SNI, the ASA doesn't know which "virtual server" the client connects to during TLS handshake and hence cannot choose correct certificate for the respective domain (group-url)...
07-02-2024 06:49 AM
@tvotna well, I'm sure that I dont have an issue with cert and untrusted domain, on the ASA 9.12(4) it is working and does not matter if it is Anyconnect or browser. So if I go to one url I have correct cert and if I go to second url again I have correct cert for second domain.
I migrated ASA to FTD and I would like to use similar config on FTD that I have more domains and need to match correct cert (webserver? cert)
07-02-2024 10:33 AM
I'm puzzled. I don't understand how this can work on ASA. Let's ask @ccieexpert , maybe he can shed some light.
FMC doesn't have an option to configure "domain" as you mentioned. So, the only option is to use flexconfig here.
07-02-2024 11:34 PM
the secure client does support SNI.. unfortunately from what I can see flexconfig does not support it. you may want to talk to your partner or Cisco account team to take it up with the business unit...
07-03-2024 01:47 AM - edited 07-03-2024 01:57 AM
Right. Looking at the sniffer trace I can confirm that AnyConnect 4.10 sends SNI. Looks like Cisco fixed this issue at some point, but forgot to update CSCvh77602.
@Matus Kozak, the solution is to generate new FTD certificate and include all of FTD hostnames into the SAN certificate field.
07-03-2024 11:53 AM
the problem or challenge is that multiple engineers can file bug and they become duplicate... and at times a QA/developer may file a new bug...you can open a TAC case and have them link all of these as duplicates to the bug that added the feature..
07-03-2024 05:41 AM
I think you need two point here if I am correct
1- FTD using wildcard
https://community.cisco.com/t5/vpn/ftd-vpn-wildcard-certificate/td-p/4184374
2- FTD using cert mapping
https://integratingit.wordpress.com/2023/07/14/ftd-anyconnect-certificate-map/
this make FTD use wildcard for both anyconnect two group and FTD use user cert to mapping it to correct profile
MHM
07-03-2024 07:00 AM
@tvotna , I dont need more FTD hostnames and include them into the SAN. I need multiple certificates (wildcards) to match multiple domain names as I wrote in first post.
@MHM Cisco World , thanks. 2-FTD cert mapping is for user authenticatioin, it's good but I dont need this.
I have two wildcard certs for two different domains... I need similar functionality how it was on the ASA... domain cert match. So I have trust-point for one domain, second trust-pont for second domain an if somebody write to anyconnect or browser https://firstdomain it matches first cert and https://seconddomain it matches second trustpoint. Two (or more) domains on outside interface, same IP. Hope it is clear.
07-03-2024 07:24 AM
in ftd when you add anyconnect connection profile you can select which cert. Ftd will use for this profile abd here you can use wildcard cert.
So first add two cert to ftd one for each CA (trsut point) and then use each one for different anyconnect profile.
You have two choice 1- use pkts 2- use manual' i.e. generate csr and sign identity cert of ftd from ca.
That it.
MHM
07-03-2024 08:38 AM
@Matus Kozak, instead of multiple certificates use single certificate and include *.domainA.example and *.domainB.example into the SAN field. You can put as many hostnames or domainnames into the SAN as you need when creating certificate signing request on Windows or with OpenSSL (ASA/FTD cannot do this). That simple.
07-03-2024 12:00 PM
I think until they implement that features, the suggestion to use multiple wildcard in one cert maybe the way to go
07-27-2024 12:33 PM
one option which worked for me was to change HostName and HostAddress in XML profile...
for example:
<HostName>domain1.example.com</HostName>
<HostAddress>domain2.example.com</HostAddress>
or vice versa.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide