Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1263
Views
0
Helpful
2
Replies

anyconnect ,aaa+certificate

elite2010
Level 3
Level 3

‎04-17-2017 09:21 AM - edited ‎02-21-2020 09:15 PM

Hi,

The user requesting a csr and send to ca and install in the certificate store ,

When anyconnect read the  certificate ,how anyconnect verify the certifcate ?

What type of certifcate user has to request .

Please give step by step example from an internal ca

 

Thanks

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-17-2017 11:58 AM

What type of CA are you using to issue user certificates? In the case of Microsoft CA, you would have to use templates for users to be request certificates themselves via a webpage. For Anyconnect client certificates, the important thing to note is that you need a few attributes (EKU set to Client authentication for example) for the certificate to be used for SSL client certificate authentication.

A good guide to configuring your MS CA for Anyconnect is given here:

http://www.petenetlive.com/KB/Article/0001030

The ASA verifies that the user certificate has been issued by a CA it trusts - which means you would have to have the CA certificate of the MS CA installed on the ASA. It also does revocation check to see if the certificate provided by the user is valid. If you get all this right, the client should be able to authenticate with the ASA without any issues.

0 Helpful

elite2010
Level 3
Level 3
In response to Rahul Govindan

‎04-18-2017 11:01 AM

Hi,

I am getting certificate validation error when connecting anyconnect

Below is the information .

I have root ca and sub ca (microsoft internal ) ,

So i added both certificates under device management ->ca certificates (Two differnect trust points )

ROOT-CA
sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 29axxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=RootCa
dc=testdom
dc=local
Validity Date:
start date: 15:35:11 UTC Dec 24 2008
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint3------------------------------ROOT-CA

IDENTITY CERTIFICATE

Certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA512 with RSA Encryption
Issuer Name:
cn=testdom-INTCA
dc=testdom
dc=local
Subject Name:
cn=testdom-Internet-FW
CRL Distribution Points:
[1] ldap:///CN=testdom-INTCA,CN=CERSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[2] http://CERSRV.testdom.local/CertEnroll/testdom-INTCA.crl
Validity Date:
start date: 11:33:48 UTC Apr 18 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint2------identity certificate

-SUBORDINATE CA


CA Certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=testdom-INTCA
dc=testdom
dc=local
CRL Distribution Points:
[1] ldap:///CN=RootCa,CN=AD02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 16:04:06 UTC Jan 30 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint1-------------------SUBORDINATE CA

IDENTITY CERTIFICAT'S EKU set to Server Authentication (1.3.6.1.5.5.7.3.1)

and the user certificate eku set to client authentication

show crypto ca trustpoints

Trustpoint _SmartCallHome_ServerCA:
Not authenticated.


Trustpoint ASDM_TrustPoint0:
Not authenticated.


Trustpoint ASDM_TrustPoint1:
Subject Name:
cn=testdom-INTCA
dc=testdom
dc=local
Serial Number: 15xxxxxxxxxxxxxxxxxxx
Certificate configured.


Trustpoint ASDM_TrustPoint2:
Not authenticated.
(Q. Why it is not authenticated ? )

Trustpoint ASDM_TrustPoint3:
Subject Name:
cn=RootCa
dc=testdom
dc=local
Serial Number: 29xxxxxxxxxxxxxxxx
Certificate configured.

tunnel-group test webvpn-attributes
authentication aaa certificate

I have split domain testdom.local and testdom.com
so the user principal name is user1@testdom.com (not user1@testdom.local )
the certificate cn is user1@testdom.com

Thanks

0 Helpful
Customers Also Viewed These Support Documents