cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6276
Views
5
Helpful
8
Replies
Highlighted

AnyConnect 3.1 untrusted certificate error

Hi,

I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.

Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.

Regards,

Ruud van Strijp

1 ACCEPTED SOLUTION

Accepted Solutions

AnyConnect 3.1 untrusted certificate error

Hi Ruud,

Yes, you can disable it with the local policy editor:

The profile editor can be found as anyconnect-profileeditor-win-3.1.01065-k9.exe at:

Standalone Profile Editor package on Windows platforms.

Enable Strict Certificate Trust in the AnyConnect Local Policy

Or you can disable it manually for each user:

Invalid Certificate Handling

However please keep this in mind:

Note          We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following reasons:

•With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps prevent "man in the middle" attacks when users are connecting from untrusted networks such as public-access networks.

•Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows end users to accept unverifiable certificates. If your end users are subjected to a man-in-the-middle attack, they may be prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict Certificate Trust.

HTH.

Portu.

Please rate any helpful posts

* In case you don't have any further questions, please mark this post as answered.

View solution in original post

8 REPLIES 8

AnyConnect 3.1 untrusted certificate error

Hi Ruud,

Yes, you can disable it with the local policy editor:

The profile editor can be found as anyconnect-profileeditor-win-3.1.01065-k9.exe at:

Standalone Profile Editor package on Windows platforms.

Enable Strict Certificate Trust in the AnyConnect Local Policy

Or you can disable it manually for each user:

Invalid Certificate Handling

However please keep this in mind:

Note          We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following reasons:

•With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps prevent "man in the middle" attacks when users are connecting from untrusted networks such as public-access networks.

•Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows end users to accept unverifiable certificates. If your end users are subjected to a man-in-the-middle attack, they may be prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict Certificate Trust.

HTH.

Portu.

Please rate any helpful posts

* In case you don't have any further questions, please mark this post as answered.

View solution in original post

AnyConnect 3.1 untrusted certificate error

Hi Portu,

Thank you for your extremely fast answer! Does the Local Policy Editor work for all clients? So can I upload the configured policy and use the ASA to push this to all clients? I don't want to run this tool on each and every laptop.

Regards,

Ruud van Strijp

AnyConnect 3.1 untrusted certificate error

Hi Ruud,

You are welcome!

It should work for any AnyConnect 3.1 version.

The AnyConnect Local Policy parameters reside in an XML file called AnyConnectLocalPolicy.xml. This file is not deployed by the ASA. You must deploy this file using corporate software deployment systems or change the file manually on a user computer

HTH.

Portu.

Please rate any helpful posts

AnyConnect 3.1 untrusted certificate error

Hi,

That's too bad. We use the ASA builtin website to let users install the AnyConnect client, because a lot of our users are on the road so they aren't AD integrated. So it's quite impossible for us to push that XML file automatically to all clients.

I hope this will be centrally manageable in a new ASA/AnyConnect version.

Regards,

Ruud van Strijp

Re: AnyConnect 3.1 untrusted certificate error

Ruud,

I understand your point.

I encourage you to get in touch with your Account team and request this functionality as an enhancement request.

Portu.

In case you don't have any further questions, please mark this post as answered.

Re: AnyConnect 3.1 untrusted certificate error

Hi,

I have a problem with the Anyconnect 3.1.

when I try to connect I get "the certificate on the secure gateway is invalid. A VPN connection will not be established".

The Certificate is a self signed cert.

Anyconnect 2.5 works without problems.

ASA Image: 8.4(2)

Thanks a lot.

Re: AnyConnect 3.1 untrusted certificate error

Hi Cristian,

Please open a new post, I''ll take care of it.

Thanks.

AnyConnect 3.1 untrusted certificate error

ok. done.

Thanks.