I'm trying to setup certificate-based authentication for AnyConnect and running into errors "CRYPTO_PKI: No Tunnel Group Match for peer certificate. CERT_API: Unable to find tunnel group for cert using rules (SSL)" AND "CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number..."
The issuer CA of the certs is the same for client and server. I'll paste my config below, sanitized. What am I missing? Or is this a cert issue?
group-policy vpn_test internal
group-policy vpn_test attributes
wins-server value 126.96.36.199
group-lock value vpn_test
default-domain value example.com
anyconnect profiles value vpn_test type user
anyconnect ask none default anyconnect
tunnel-group vpn_test type remote-access
tunnel-group vpn_test general-attributes
tunnel-group vpn_test webvpn-attributes
group-url https://myurl.com enable
Solved! Go to Solution.
I want to authenticate based on certificate, then based on ISE authorization once certificate is authenticated. I was under the impression listing common name in the configs would help in authentication process but i'm likely wrong. i'm using the tunnel group, group policy, and trustpoint. the trustpoint uses a root ca same as the client certificate. I've tried full chain and still no luck. Here's a snippet of the syslog error:
%ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: #, subject name: x.
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to validate chain.
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: #, subject name: cn=3590a9ba-6b10-4d18-9861-ff94431c01c9, issuer name: x
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=#, digest=
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints for connection type SSL
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: #
CRYPTO_PKI: No suitable TP status.
CRYPTO_PKI: Begin sorted cert chain
CRYPTO_PKI: End sorted cert chain
CRYPTO_PKI: Cert chain pre-processing: List size is 2, trustpool is not in use
CRYPTO_PKI: List pruning is not necessary.
CRYPTO_PKI: Sorted chain size is: 2
It's a wildcard certificate for the client that has client/server usage for eku and app policy. It's a full chain with private key. I am also using the same for the ASA. Oddly enough once I rebooted my test laptop, all start working. Now I'm trying to figure out what has changed or if anyconnect was just acting flaky. Are certificate maps needed for certificate authentication or just a way of separating functions? Also, I'm assuming the client needs to trust the same issuing authority that the firewall trustpoint does.
Awesome thank you. Got it working. I think the issue was client needed not only to trust the full chain on the asa, but also the asa identity itself. That or rebooting my pc fixed anyconnect.