Solved: Cisco AnyConnect: Check Computer Certificate Domain Membership

Alisson C · ‎09-29-2015

Hello everyone,

I have an ASA5550, on which I have successfuly configured Anyconnect (Client version 3.1.10010) to authenticate with both Username/Password and User certificate issued by my internal CA.

What I'm actually trying to achieve is to allow only computer domain members to login to this VPN access. So users cannot connect to the VPN when they are in their non-corporate devices.

I know every domain member computer have a certificate issued by my internal CA. Is it possible to use this certificate to authenticate the VPN instead of the User Cert?

I only have cisco Anyconnect Essentials license.

Version 9.1(6)4

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 400 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 5000 perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

rvarelac · ‎09-29-2015

Hi Alisson ,

I think you can use the certificate matching feature under the XML profile of Anyconnect , make sure the certificate store field is selected as "all" . Also you can limit the devices that can connect to the VPN with DAP.

See more information below.

XML features

https://supportforums.cisco.com/document/12549161/anyconnect-xml-preferences

https://supportforums.cisco.com/document/12550601/anyconnect-xml-settings

DAP files

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

Hope it helps.

-Randy-

View solution in original post

rvarelac · ‎09-29-2015

Hi Alisson ,

I think you can use the certificate matching feature under the XML profile of Anyconnect , make sure the certificate store field is selected as "all" . Also you can limit the devices that can connect to the VPN with DAP.

See more information below.

XML features

https://supportforums.cisco.com/document/12549161/anyconnect-xml-preferences

https://supportforums.cisco.com/document/12550601/anyconnect-xml-settings

DAP files

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

Hope it helps.

-Randy-

Alisson C · ‎10-01-2015

Hello Randy,

Thank you for your answer.

That is exactly what I was looking for.

Best regards.

Alisson C · ‎10-28-2016

Its been a long time, but I would like to update this to say that new windows (7 and 10) when using UAC in high levels still are unable to read the machine certificates, even if the option "Certificate store override" enabled in the Cisco AnyConnect client profile.

After struggling with it for weeks, i found out that the issue is related to the users with no admin privileges not being able to read the private key on the computer identity certificate.

If you add the permission, it will work.
Since I have to do this on about 2.5k computers, I had to use a powershell script + GPO on windows that sets the permission.

After that, VPN has been working just fine.

Alex Pfeil · ‎10-04-2018

We will check this out. We are having a similar issue. Thanks!