cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2023
Views
0
Helpful
4
Replies

AnyConnect 3.1.01065

FilipOlsen
Level 1
Level 1

Hi Guys.

Just upgraded to newest version on anyconnect... asa running 8.4(4) 1

I only have this security warning :

Does anyone knows how to get rid of it ? , i have installed the cert on the client and have no warning when entering the https site for connecting / downloading the anyconnect client.

If i accept i will be logged on anyconnect and this will show up everytime connecting.

Please support.    

4 Replies 4

pkupisie
Cisco Employee
Cisco Employee

Hi Filip,

You need in certificate that is used by HTTP Server (SSLVPN)  to have Extended Key Usage (EKU) value of 'Server Authentication' .

You can use for it Cisco CA on IOS for some time already.

Example PKI Server configuration:

crypto pki server CA
grant auto
hash sha1
eku server-auth client-auth

Trustpoint:

crypto pki trustpoint CA-self
enrollment url http://10.1.1.2:80
fqdn 10.1.1.2
ip-address 10.1.1.2
subject-name cn=10.1.1.2,ou=TAC
revocation-check none
eku request server-auth

I hope it helps. Cheers.

Hi Piotr.

Yes i did read about this EKU change in cert , but im not able to use these commands in ASA IOS ?

>You can use for it Cisco CA on IOS for some time already<

Which IOS version is that , im trying with 15.1.4 on a 2801... still not able to use EKU command.

Hi,

Please refer to the bug CSCtl97326 which was feature request for EKU in PKI Server:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl97326

Based on this information it is added in:

15.1(1)SY

15.2(0.7.3)PIB17

15.2(0.0.10)PIL17

15.2(0.3.1)PIH16

15.2(1.5)T

15.2(1.5)S

15.1(1.4)DPB22

15.2(1.0.0)IPI2

In case of 15.1.4 I cannot check it without a trendline (T/S/M).