cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

AnyConnect Trusted Network Detection using Certificate Hash

Client Environment:-

  • Cisco ISE v2.3
  • Cisco AnyConnect v4.5 client (ISE Posture, NAM and AnyConnect modules)
  • Windows 10 PC’s with Machine certs issued by an Internal Sub Certificate Authority
    • AnyConnect NAM configured for EAP-TLS Authentication using Machine cert
  • Cisco Switches with 802.1x enabled in high Security Mode (Closed Mode)
  • Cisco ASA 5585 VPN Appliance
  • SSL VPN connection


We currently use AnyConnect Client v4.5 with Cisco ASA for SSL VPN.  We have Always-On and Trusted Network Detection (TND) configured on AnyConnect client using Domain DNS name and certificate check (URL). So the Trusted Network Detection disconnects the VPN is it see DNS suffix “MyComapny.com” and it has the right certificate Hash for a defined IP host.

  1. i.e. htps://x.y.z.v:443    = Hash=fdsajahfjhfkjfajhfjhfk43949324

We have multiple TND https://  entries to provide for resilience, i.e. https://1.1.1.1:443, htps://1.1.1.2:443

The question being if TND certificate hash fails on the first, does it drop down to the next on the list? Or is it a case of it only drops to the next one if the first is unavailable?

Thanks Khalid

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AnyConnect Trusted Network Detection using Certificate Hash

Hello,

If the server itself is not reachable we will try the next server.   You wont be able to add the server with an invalid hash and if you are able to do that then there is an issue.   I assume you are asking if the hash changes and is now invalid?  We should go down the list as ordered although I can not find this documented so that I can link you to it at this moment.  If I come across it I will respond back.

      

Best regards,

Paul

AC & ATS TME

psd

2 REPLIES
Cisco Employee

Re: AnyConnect Trusted Network Detection using Certificate Hash

Hello,

If the server itself is not reachable we will try the next server.   You wont be able to add the server with an invalid hash and if you are able to do that then there is an issue.   I assume you are asking if the hash changes and is now invalid?  We should go down the list as ordered although I can not find this documented so that I can link you to it at this moment.  If I come across it I will respond back.

      

Best regards,

Paul

AC & ATS TME

psd

Beginner

Re: AnyConnect Trusted Network Detection using Certificate Hash

What is the expected behavior when multple Trusted Servers are defined?   And what is the expected behavior if one or more of the defined servers is reachable, but has an invalid hash (changed since initially added).  As you mention, I don't see this documented anywhere.  Are we simply looking for a single Trusted Server that is both reachable and passes hash check?  So we go down the list until those conditions are met for one defined server in the list?   If you find this formally documented somewhere, please post the doc link.  Thanks!

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions