12-21-2012 04:09 AM - edited 02-21-2020 06:34 PM
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
Is this mandatory or is there a way around this?
12-22-2012 01:10 AM
Hey,
For the moment is a must and you cannot go around.
Cheers,
12-24-2012 02:24 PM
Just to add to this.
Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
Vide:
http://tools.ietf.org/html/rfc4945
5.1.3.12. ExtendedKeyUsage
M.
01-02-2013 07:35 AM
Are you sure the enforcement is not mandatory?
Something is happening in the client side for sure.
I have a Asa running 9.0, with anyconnect 3.0 i can authenticate with a smartcard certificate, with 3.1 it doesnt work.
It authenticates (at least thats what i see in the Asa logs) but then the client just disconnects ...
PS - I am using self signed cert for the asa trustpoint. With AAA authentication it works.
PS2 - I am getting lots of "CAPICERTUTILS_ERROR_*" on the anyconnect log
I have tried some of the workarounds (EKU on certificates, CN matching on .xml) to no avail.
02-04-2013 06:01 AM
I will post this info so it can help anyone with the same problem.
After some weeks with a case opened on TAC (and lots of debug) the solution was to upgrade to the newest version of anyconnect (3.1.2040, released on 28 January 2013 ).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide