cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
283
Views
5
Helpful
5
Replies
Highlighted
Beginner

AnyConnect always use user certificate for authentication instead of machine certificate

I've setup "AAA and Certificate" for tunnel group and import Root CA into CA certificate on the ASA.

I also setup "CertificateStore" as "Machine" and enable "CertificateStoreOverride" on the client profile.

 

According to the debug result, the VPN session still used user certificate instead of machine certificate for authentication.

Is it possible cause by same issuer for both user certificate and machine certificate?

 

How can I force to use machine certificate for authentication?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

The root cause is I have too many VPN profile at local, so AnyConnect didn't choose the correct one.

It's working after I delete other VPN profile and keep the necessary one.

 

View solution in original post

5 REPLIES 5
Highlighted
Rising star

Based on the input it should work. Did you make sure that you tried to disconnect and reconnect after the profile was downloaded first time to the client?

Highlighted

Yes, I try to reconnect the VPN after profile downloaded, but it still use the user certificate for authentication.

Highlighted

I was having this exact same issue and for some reason, by setting IKEv2 as the connection fixed my problem. Remove SSL from the connection profile and also the AnyConnect Profile.

Check out my post when I ran into this issue. 

https://community.cisco.com/t5/vpn/anyconnect-not-detecting-machine-store-cert-for-auth/m-p/4167818#M274984

Highlighted

Thank you for inspiring me! I check the DART log then I found the root cause!

Highlighted
Beginner

The root cause is I have too many VPN profile at local, so AnyConnect didn't choose the correct one.

It's working after I delete other VPN profile and keep the necessary one.

 

View solution in original post