cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7644
Views
0
Helpful
7
Replies

AnyConnect + certificate authentication

zahir_zahir
Level 1
Level 1

Hi there!

I'm working on solution to my problem which is RA VPN on ASA and anyconnect 3.1. I configured device according to few tutorials so i believe configuration is correct. But when i connect to https://asa.domain.com  i am asked to choose connection profile and login/password. After putting in those informations i see error message "certification validation faild". The main cause of the problem (i guess) is that i am trying to use machine certificate not user cert. My browser (IE 8) automatically chooses user cert and i am not able to choose some different cert. Is there solution for that?

Thanks in advance!

7 Replies 7

mulhollandm
Level 1
Level 1

Ad

is your asa providing the client cert?

if so have you downloaded and installed it on the client

also have you installed the correct root cert and have you ran any debugs on the asa

Asa has two certificates, one is installed in CA cert and it is my root CA cert, another one is generated via manuall request and it is installed in identity certificates store. My windows machine has same root CA cert and also windows machine cert signed by same CA.  debug crypto ca 255 shows almost nothing, smoething like 2 lines of output (i will provide it tommorow). I believe thet certificates are OK as i can connect to vpn via old Cisco VPN Client where i am able to choose which cert i want to use to authenticate - when i choose my machine certificate everything works fine. Still think my browser is trying to use user cert :/

>let me know if you have any further questions.

Hello!

I have question and asked it in doc's comment- how to revoke certificate?

Thank you!

Hello Ad,

I would recommend you to check on the following doc:

AnyConnect Certificate Based Authentication

After reviewing this doc, let me know if you have any further questions.

Thanks.

Portu.

Please rate any posts that you find helpful.

Hi, still nothing. I haven't user certificate, only machine certificate.

When I access my ASA webpage there is banner saying:

Your client certificate  will be used for authentication
How can I force it to use my machine cert insted of client certificate?
EDIT:
Now I am sure that my IE choose client certificate, not machine cert. When i installed IE 7 i am able to choose which certificate i want to use, but on the list there are just certs that are in client certificate store not in machine store
How can i fix it ?   seems like browser issue.

EDIT 2:
Another idea may be to validate users connecting to webpage just via username/password (AAA), but when they will download client profile file (xml) they need to authenticate via machine certificate (in xml file i can choose which cert i want to use). The question is that is it even possible to do such thing? I would need to have 2 seprate connection profiles, but how to map one of them to website and another one to anyconnect client.

Additional question: where can i find a xml file with profile that was downloaded during https connection to asa? There's nothing in C:\Program Files\Cisco\Annyconnet

And is it possible to allow clients to download anyconnect through https (ssl) but established vpn session using IPSec insted of SSL?

According to:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ref_extserver.html

"Using a PC as a remote user would, attempt connections using clientless SSL, the AnyConnect client, and the IPSec client. The clientless and AnyConnect connections should fail and the user should be informed that an unauthorized connection mechanism was the reason for the failed connection. The IPSec client should connect because IPSec is an allowed tunneling protocol according to attribute map."

What really is anyconnect any IPSec client?? I thought that anyconnect is like old cisco vpn client and i can choose which protocol it will use to established vpn connection - ssl or ipsec..

In anyconnect user guide i found that it can be used as IPSec client, but is it possible to use IPSec as VPN protocol while downloading anyconnect client via browser?

Hi Ad,

Yes you can access and download the client through the Web Portal, just make sure you allow the "ssl-client" and "ikev2" VPN protocols.

Let me know if you have any further questions.

Portu.

Please rate any helpfuls posts.