Solved: Re: AnyConnect always use user certificate for authentication instead of machine certificate

zexinfinite · ‎10-24-2020

I've setup "AAA and Certificate" for tunnel group and import Root CA into CA certificate on the ASA.

I also setup "CertificateStore" as "Machine" and enable "CertificateStoreOverride" on the client profile.

According to the debug result, the VPN session still used user certificate instead of machine certificate for authentication.

Is it possible cause by same issuer for both user certificate and machine certificate?

How can I force to use machine certificate for authentication?

zexinfinite · ‎10-25-2020

The root cause is I have too many VPN profile at local, so AnyConnect didn't choose the correct one.

It's working after I delete other VPN profile and keep the necessary one.

View solution in original post

Aref Alsouqi · ‎10-24-2020

Based on the input it should work. Did you make sure that you tried to disconnect and reconnect after the profile was downloaded first time to the client?

zexinfinite · ‎10-25-2020

Yes, I try to reconnect the VPN after profile downloaded, but it still use the user certificate for authentication.

gilbert.aispuro1 · ‎10-24-2020

I was having this exact same issue and for some reason, by setting IKEv2 as the connection fixed my problem. Remove SSL from the connection profile and also the AnyConnect Profile.

Check out my post when I ran into this issue.

https://community.cisco.com/t5/vpn/anyconnect-not-detecting-machine-store-cert-for-auth/m-p/4167818#M274984

zexinfinite · ‎10-25-2020

Thank you for inspiring me! I check the DART log then I found the root cause!

zexinfinite · ‎10-25-2020

The root cause is I have too many VPN profile at local, so AnyConnect didn't choose the correct one.

It's working after I delete other VPN profile and keep the necessary one.