Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
2
Replies

Clientless Authentication Using an External CA

a.giorgi
Level 1
Level 1

‎12-17-2013 11:15 PM

Hi there:

I'm trying to configure a clientless authentication using certificates issued by my own CA but I can't

I get a certificate validation failure
I was searching for a configuration guide but I can't found it

I enrolled the ASA with the CA and assigned the certificate to outside
I enrolled the user to CA

I configured the connection profile to certificate authentication method
I configured the certificate map connection profile to OU field in the certificate
I begin to suspect this is not a valid design unless the ASA is the CA
Can somebody confirm if I can authenticate my users using SSL VPN with cerificates from an external CA?

Someone know a configuration guide to do it?

Thank you in advance

Al

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎12-18-2013 12:39 AM

You also can use an external CA. Thats also the common way as the local CA can't be used in Failover-Scenarios.

Start with the configuration-guides on certificates:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

a.giorgi
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2013 11:09 PM

Thank you Iwen

Finally I found the problem

You need to enroll the user certificate across the ASA (ASA as proxy)

If you try to make the enrollment directly to CA the certificates are different

the DC at left is the result of direct enrollment and doesn't work

the DC at right is the right one

Thank you very much

Al

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents