Its been a long time, but I would like to update this to say that new windows (7 and 10) when using UAC in high levels still are unable to read the machine certificates, even if the option "Certificate store override" enabled in the Cisco AnyConnect client profile.
After struggling with it for weeks, i found out that the issue is related to the users with no admin privileges not being able to read the private key on the computer identity certificate.
If you add the permission, it will work. Since I have to do this on about 2.5k computers, I had to use a powershell script + GPO on windows that sets the permission.
After that, VPN has been working just fine.
... View more
Hello Everyone. I'm willing to clarify a question about the ASA and their trustpoints/certificates. So far, i have successfully configured AnyConnect client to authenticate from both Ldap usernames+password and Machine certificates. For that, I have a Microsoft internal CA in place to provide a certificate to every computer in my domain. To achieve that, I had to configure a trustpoint, add the CA chain, and add the Identity certificate for ASA on that trustpoint. This trustpoint is bound to the Outside interface, where my valid IP is configured and theclients connect to the VPN. Also, I noticed that there is no "Untrusted server" warning for my internal clients when they try to connect to VPN, because they can trust the ASA Certificate, since the CA who issued the ASA's certificate is common for everyone. My problem is that I have a few hundred of external clients, partners and service providers, who will also make use of this VPN. Some of their computers are not in our domain, so they will not trust the certificate that is bound to the trustpoint. And so, the "Untrusted VPN server" message will be displayed to them, and they will need to manually disable the "block the connection to untrusted servers" option. I do have a valid certificate that I can install on ASA, provided by an external CA. Is it possible to install both certificates so that the external partners can also trust my server, and I can still use my internal certificate to authenticate domain computer? Is there a way to configure both certificates on the ASA? Thanks in advance
... View more
Hello everyone, I have an ASA5550, on which I have successfuly configured Anyconnect (Client version 3.1.10010) to authenticate with both Username/Password and User certificate issued by my internal CA. What I'm actually trying to achieve is to allow only computer domain members to login to this VPN access. So users cannot connect to the VPN when they are in their non-corporate devices. I know every domain member computer have a certificate issued by my internal CA. Is it possible to use this certificate to authenticate the VPN instead of the User Cert? I only have cisco Anyconnect Essentials license. Version 9.1(6)4 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 400 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : 5000 perpetual Other VPN Peers : 5000 perpetual Total VPN Peers : 5000 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual
... View more