Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
1
Replies

Anyconnect client attempts failing to ASA 5505

John Hinckley
Level 1
Level 1

‎04-16-2013 12:36 PM - edited ‎02-21-2020 06:49 PM

I already have traditional IPsec VPN access working just fine through this device.  Users connect and authenticate using a windows AD server for RADIUS and everything works great.  However, the customer wants to use AnyConnect instead of the traditional VPN client.  So I added a SSL connection profile (the anyconnect essentials feature is enabled on the device) and told it to use the same IP pool and RADIUS server group as the IPsec clients.  I used the ASDM wizard to configure it and had no issues completing the wizard. 

Problem:

When trying to make a connection to the webvpn portal I get a 404 error instead of the client portal.  Also when trying to connect with the Anyconnect client, I get the usual "Untrusted VPN certificate" warning, but the connection attempt fails when I click through it.

The strange part is when I look at the issued certificate in the browser or the client, it's showing me the certificate from the RADIUS server. Why is it looking there for certificate and more importantly, why does it care at all about a certificate when I've specified in the connection profile to use AAA to authenticate?

I'm stuck at this point.  I'm not understanding how/why certificates are trying to play a role in a RADIUS authentication model. 

ASA 5505 Version: 8.2(5)

Any help is appreciated.  Thanks.

-John

Labels:
0 Helpful
1 Reply 1

John Hinckley
Level 1
Level 1

‎04-16-2013 05:03 PM

I found the problem and I feel kind of stupid.  I didn't notice that someone had created a NAT rule for exchange web access and it was looking at the exchange server for the Certificate.  Doh!

Upon further research, a certificate is needed to create the SSL session.  So just create a local identity certificate and make sure it's assigned to the correct trust point.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents