Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
10
Helpful
1
Replies

2921 IOS AnyConnect using client certificate authentication

corycandia
Level 1
Level 1

‎11-01-2021 08:38 AM - edited ‎11-01-2021 08:40 AM

Community,

I can't find any complete examples of configuring AnyConnect on a 2921 using certificate authentication instead of user/pass.

 

Can anyone help provide the correct pieces?  We already have AnyConnect configured and working with local username and password.

 

Here's some relevant config pieces:

2921, Version 15.0(1r)M16

crypto pki trustpoint C3-ROOT-CA_TRUSTPOINT
 enrollment terminal
 fqdn gateway.FQDN.com
 subject-name CN=gateway.FQDN.com,OU=NETWORKING,O=ORG,ST=IN,C=US
 subject-alt-name gateway.FQDN.com
 revocation-check none
crypto pki certificate chain C3-CANDIAMANTICS-ROOT-CA_TRUSTPOINT
certificate 120000012C1D991EADCECA851600020000012C
308206AE 30820596 A0030201 02021312 0000012C 1D991EAD CECA8516 00020000
012C300D 06092A86 4886F70D 01010B05 00306D31 15301306 0A099226
<MORE>
certificate ca 57C0486E5F6FF586490EB28549A59088
308203F6 308202DE A0030201 02021057 C0486E5F 6FF58649 0EB28549 A5908830
0D06092A 864886F7 0D01010B 0500306D 31153013 060A0992 268993F2 2C640119
<MORE>

aaa authentication login AAA_ANYCONNECT local

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1

webvpn gateway WEBVPN-GATEWAY_ANYCONNECT
ip interface GigabitEthernet0/1 port 1025
ssl trustpoint C3-ROOT-CA_TRUSTPOINT
inservice
dtls port 1025

webvpn context WEBVPN-CONTEXT_ANYCONNECT
virtual-template 1
aaa authentication list AAA_ANYCONNECT
gateway WEBVPN-GATEWAY_ANYCONNECT
ssl authenticate verify all

policy group GROUPPOLICY_ANYCONNECT-SPLIT
functions svc-enabled
svc address-pool "ADDRESSPOOL_ANYCONNECT" netmask 255.255.255.248
svc default-domain "DOMAIN.local"
svc module vpngina
svc profile ANYCONNECT-PROF_CARM
svc split include acl ACL_ANYCONNECT-SPLITTUNNEL
svc dns-server primary 172.20.19.253
default-group-policy GROUPPOLICY_ANYCONNECT-SPLIT


 My certificate was created by a stand alone windows CA, which is the trusted root CA for the enterprise.

 

 

Intended goal is a windows laptop or a mobile phone can connect using the AnyConnect application without using a username and password, but instead by a client certificate created by the enterprise CA.  This will mostly be used by mobile devices.  The MDM will install the client user certificate and that certificate will be used to authenticate AnyConnect.

 

Labels:
1 Reply 1

corycandia
Level 1
Level 1

‎11-15-2021 05:10 PM

Bump, No one out there doing any certificate authentication for AnyConnect on IOS?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents