I am using a Cisco ASA with version 9.6.3 and a cisco any connect client on a windows 10 domain joined machine with version: 4.5.X
I also installed our root certificate from our MS Root CA into the ASA.
I am able to connect with:
- User certificate
- local ASA user and password
I would like to set up a pre logon vpn connection. When I try to use the machine certificate (delete all user cert) to authenticate, the anyconnect client tells me, that it has no valid certificate.
I checked a few community articles and so on but haven't found anything helping.
One thing is? does the ASA need a identity certificate to use the machine certificate for this?
Does someone has an idea what could help me out?
Currently I think, the problem is related to the client, that it is not using the machine cert.
Did you ever get a resolution on this? Curious, as I will beginning the process of incorporating AnyConnect 4.5 with ASA and ISE 2.2 for posture check, of which I'd like to use both the user and machine certs for authentication.
I'm currently working on this solution as well, with limited success. I have the root and intermediary certs installed on the ASA. The machine cert is installed in the machine store of my W7 machine. I've configured the VPN profile to use machine cert and configured it for "certificate store override". I receive the certificate error as well.
To get around this, I go into the W7 machine store. Right click on the cert, All Tasks>, Manage private keys. Then I add myself as with Full control and read permissions. Then it works. I'm currently an admin on my machine so I'm not sure why have I have to do this unless it's because I'm the user logged into the windows machine. The problem is when the certificate is replaced. I would have to re-add myself again.
I'm running 22.214.171.124 on the ASA but I've also had this same issue with 9.5.X. I've tried Anyconnect 4.2.X and 4.4.04030. I still need to add myself to the cert in the machine store.