Re: Clientless SSL VPN Certificate Authentication

Rami Ibrahim · ‎05-22-2021

Hello,

Today I was making a lab to test Cisco Clientless SSL VPN authentication by using certificates (Local CA) before a real deployment. Provisioned a standalone MS 2012R2 CA and a test client (win 7 ultimate SP1).

On client I import the CA cert and request And successfully installed it's identity cert also.

The same on the ASA.

After configure tunnel-group with cert-based authentication the client gives an error saying that this certificate is for another website it seems it's a name mismatched but the issue that made me feel frustrated is that the portal url is https://asa.ccnpsec.org and the CN in ASA cer is "asa.ccnpsec.org" so the CN is correct I really couldn't resolve this issue after 5 hours of trouble shooting.

Thank you

Rob Ingram · ‎05-22-2021

@Rami Ibrahim

Which web browser were you using? Firefox, chrome etc don't look at windows machine certificate store, so won't natively trust the certificate. If using Microsoft Internet Explorer or Edge, those browsers do check the certificate store so should trust the certificate.

Aside from that, the error message would indicate what the issue was, so would help you narrow down the problem.

Rami Ibrahim · ‎05-22-2021

Hi Rob,

Actually I used IE 8 and faced that error.

I don't know why this is happening

Thank you.

Rob Ingram · ‎05-22-2021

@Rami Ibrahim When you imported the certificate did you enable the trustpoint on the outside interface? If not it could still be the self-signed certificate.

Please provide a screenshot of the error.

Rami Ibrahim · ‎05-22-2021

Yes of course.

Please find the below screenshots for the error and more info about the certificate and it's validity.

Thank you.

Rob Ingram · ‎05-22-2021

@Rami Ibrahim install wireshark on the windows 7 computer, take a packet capture when you connect to the asa, so we can see what certificate is presented. Upload the pcap here for review.

Rami Ibrahim · ‎05-23-2021

Hi

Unfortunately I couldn't be able to do a live capture since Win7 is a VM inside Eve-ng so Wireshark couldn't get the list of adapters.

Tried to do the capture from Eve-ng topology but no traffic recorded I don't know why.

I just got a new Certificate for Win PC and tried again now when I click continue after certificate error the client is able to login to the portal. Actually I really don't know why I'm still seeing the address mismatch error since the CN and the URL are the same.

Some people adviced me to put a Wildcard certificate on the ASA with the same domain name like *. example.com but I am not that much with MS CA, generate one but when trying to import on ASA it asked about decryption passphrase and I did not know how to put this passphrase on the cert on the CA.

Maybe I would advise the customer to put a real (commercial) certificate on the ASA and use internal CA for clients (do you recommend this scenario?)

I really appreciate your help and thanks a lot.

Rob Ingram · ‎05-23-2021

@Rami Ibrahim

I see no reason why wireshark should have an issue finding the adapters inside a VM, do you have administrator permissions on the local computer?

Yes, it's common to a public signed certificate on the ASA when using RAVPN.

I see no reason why you'd need a wildcard certificate.

Rami Ibrahim · ‎05-23-2021

Thanks Rob,

I think something is wrong on my Eve so that Wireshark is broken.

Actually my friend is a system guy and told me that if there is an internal CA then probably there will be a Wild-card cert for the internal resources so I could use it on the ASA so the client would check only the domain name inside the ASA certificate regardless of the CN.