09-29-2015 12:08 PM - edited 03-11-2019 11:39 PM
Hello everyone,
I have an ASA5550, on which I have successfuly configured Anyconnect (Client version 3.1.10010) to authenticate with both Username/Password and User certificate issued by my internal CA.
What I'm actually trying to achieve is to allow only computer domain members to login to this VPN access. So users cannot connect to the VPN when they are in their non-corporate devices.
I know every domain member computer have a certificate issued by my internal CA. Is it possible to use this certificate to authenticate the VPN instead of the User Cert?
I only have cisco Anyconnect Essentials license.
Version 9.1(6)4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 400 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 5000 perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
Solved! Go to Solution.
09-29-2015 09:31 PM
Hi Alisson ,
I think you can use the certificate matching feature under the XML profile of Anyconnect , make sure the certificate store field is selected as "all" . Also you can limit the devices that can connect to the VPN with DAP.
See more information below.
XML features
https://supportforums.cisco.com/document/12549161/anyconnect-xml-preferences
https://supportforums.cisco.com/document/12550601/anyconnect-xml-settings
DAP files
Hope it helps.
-Randy-
09-29-2015 09:31 PM
Hi Alisson ,
I think you can use the certificate matching feature under the XML profile of Anyconnect , make sure the certificate store field is selected as "all" . Also you can limit the devices that can connect to the VPN with DAP.
See more information below.
XML features
https://supportforums.cisco.com/document/12549161/anyconnect-xml-preferences
https://supportforums.cisco.com/document/12550601/anyconnect-xml-settings
DAP files
Hope it helps.
-Randy-
10-01-2015 06:45 AM
Hello Randy,
Thank you for your answer.
That is exactly what I was looking for.
Best regards.
10-28-2016 11:55 AM
Its been a long time, but I would like to update this to say that new windows (7 and 10) when using UAC in high levels still are unable to read the machine certificates, even if the option "Certificate store override" enabled in the Cisco AnyConnect client profile.
After struggling with it for weeks, i found out that the issue is related to the users with no admin privileges not being able to read the private key on the computer identity certificate.
If you add the permission, it will work.
Since I have to do this on about 2.5k computers, I had to use a powershell script + GPO on windows that sets the permission.
After that, VPN has been working just fine.
10-04-2018 06:32 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide