Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7893
Views
5
Helpful
8
Replies

AnyConnect 3.1 untrusted certificate error

Go to solution
Ruud van Strijp
Level 1
Level 1

‎10-26-2012 05:30 AM - edited ‎02-21-2020 06:26 PM

Hi,

I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.

Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.

Regards,

Ruud van Strijp

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-26-2012 05:53 AM

Hi Ruud,

Yes, you can disable it with the local policy editor:

The profile editor can be found as anyconnect-profileeditor-win-3.1.01065-k9.exe at:

Standalone Profile Editor package on Windows platforms.

Enable Strict Certificate Trust in the AnyConnect Local Policy

Or you can disable it manually for each user:

Invalid Certificate Handling

However please keep this in mind:

Note          We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following reasons:

•With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps prevent "man in the middle" attacks when users are connecting from untrusted networks such as public-access networks.

•Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows end users to accept unverifiable certificates. If your end users are subjected to a man-in-the-middle attack, they may be prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict Certificate Trust.

HTH.

Portu.

Please rate any helpful posts

* In case you don't have any further questions, please mark this post as answered.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-26-2012 05:53 AM

Hi Ruud,

Yes, you can disable it with the local policy editor:

The profile editor can be found as anyconnect-profileeditor-win-3.1.01065-k9.exe at:

Standalone Profile Editor package on Windows platforms.

Enable Strict Certificate Trust in the AnyConnect Local Policy

Or you can disable it manually for each user:

Invalid Certificate Handling

However please keep this in mind:

Note          We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following reasons:

•With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps prevent "man in the middle" attacks when users are connecting from untrusted networks such as public-access networks.

•Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows end users to accept unverifiable certificates. If your end users are subjected to a man-in-the-middle attack, they may be prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict Certificate Trust.

HTH.

Portu.

Please rate any helpful posts

* In case you don't have any further questions, please mark this post as answered.

0 Helpful

Go to solution
Ruud van Strijp
Level 1
Level 1
In response to Javier Portuguez

‎10-26-2012 05:56 AM

Hi Portu,

Thank you for your extremely fast answer! Does the Local Policy Editor work for all clients? So can I upload the configured policy and use the ASA to push this to all clients? I don't want to run this tool on each and every laptop.

Regards,

Ruud van Strijp

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Ruud van Strijp

‎10-26-2012 06:20 AM

Hi Ruud,

You are welcome!

It should work for any AnyConnect 3.1 version.

The AnyConnect Local Policy parameters reside in an XML file called AnyConnectLocalPolicy.xml. This file is not deployed by the ASA. You must deploy this file using corporate software deployment systems or change the file manually on a user computer

HTH.

Portu.

Please rate any helpful posts

Go to solution
Ruud van Strijp
Level 1
Level 1
In response to Javier Portuguez

‎10-26-2012 06:32 AM

Hi,

That's too bad. We use the ASA builtin website to let users install the AnyConnect client, because a lot of our users are on the road so they aren't AD integrated. So it's quite impossible for us to push that XML file automatically to all clients.

I hope this will be centrally manageable in a new ASA/AnyConnect version.

Regards,

Ruud van Strijp

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Ruud van Strijp

‎10-26-2012 06:35 AM

Ruud,

I understand your point.

I encourage you to get in touch with your Account team and request this functionality as an enhancement request.

Portu.

In case you don't have any further questions, please mark this post as answered.

0 Helpful

Go to solution
Cristian Iconaru
Level 1
Level 1
In response to Javier Portuguez

‎11-27-2012 06:39 AM

Hi,

I have a problem with the Anyconnect 3.1.

when I try to connect I get "the certificate on the secure gateway is invalid. A VPN connection will not be established".

The Certificate is a self signed cert.

Anyconnect 2.5 works without problems.

ASA Image: 8.4(2)

Thanks a lot.

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Cristian Iconaru

‎11-27-2012 07:00 AM

Hi Cristian,

Please open a new post, I''ll take care of it.

Thanks.

0 Helpful

Go to solution
Cristian Iconaru
Level 1
Level 1
In response to Javier Portuguez

‎11-27-2012 07:09 AM

ok. done.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents