cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

141
Views
0
Helpful
2
Replies
Beginner

AnyConnect Certificates and Getting Rid of the "Connect Anyway" screen

How do AnyConnect certificates work? What I am trying to do is stop users from having to click the "Connect anyway" button on the certificate warning screen. I cant seem to find where they are stored locally or inside of ASDM

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Re: AnyConnect Certificates and Getting Rid of the "Connect Anyway" screen

AnyConnect uses the identity certificate of the ASA. If the certificate FQDN or Subject Alternative Name (SAN) doesn't match the URL you've given your users then they will get the mismatch and be required to manually accept that discrepancy ("Connect anyway").

In ASDM it shows up under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, Device Certificate button. The available certificate(s) are listed under Configuration > Device Management > Certificate Management > Identity Certificates.

In the cli there is a "ssl trust-point <TrustPoint Name> <Interface name>" command that binds a given certificate Trustpoint to the interface where the clients connect. That equates to the first section above. The second section would be under "crypto ca certificate ..." commands.

 

View solution in original post

2 REPLIES 2
Highlighted
Hall of Fame Guru

Re: AnyConnect Certificates and Getting Rid of the "Connect Anyway" screen

AnyConnect uses the identity certificate of the ASA. If the certificate FQDN or Subject Alternative Name (SAN) doesn't match the URL you've given your users then they will get the mismatch and be required to manually accept that discrepancy ("Connect anyway").

In ASDM it shows up under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, Device Certificate button. The available certificate(s) are listed under Configuration > Device Management > Certificate Management > Identity Certificates.

In the cli there is a "ssl trust-point <TrustPoint Name> <Interface name>" command that binds a given certificate Trustpoint to the interface where the clients connect. That equates to the first section above. The second section would be under "crypto ca certificate ..." commands.

 

View solution in original post

Beginner

Re: AnyConnect Certificates and Getting Rid of the "Connect Anyway" screen

Thank you!