Solved: Re: AnyConnect certificate error

KevinYounil1 · ‎01-03-2018

Hello,

I have implemented an AnyConnect solution on our ASA 5516X and I am using ACS as 3A server. ASA has been configured to use certificates for authentication. The client has a computer and user certificate installed and when it tries to to connect it receives an error message stating "certificate validation failure" on the client. I ran deubug on ASA and realized that right TrustPoint getting selected and also saw this error:

No certificates received during the handshake with client Public:w.x.y.z/52494 to w.x.y.z/443 for DTLSv1 session.

My final goal is just to authenticate computer certificate and I have installed user certificate just for testing purpose. Has anyone any idea about that?

Any help in this regard would be greatly appreciated.

Kevin

Mohammed al Baqari · ‎01-03-2018

In your anyconnect profile, are you keeping certificate selection as
automatic. Also, are you having the certificate in the personal certificate
store. Finally, is your client certificate having Client Authentication in
Extended Key Usage. Your CA should be generating Client Authentication EKU
certificates to be picked by anyconnect client and used for authentication.

View solution in original post

Mohammed al Baqari · ‎01-03-2018

In your anyconnect profile, are you keeping certificate selection as
automatic. Also, are you having the certificate in the personal certificate
store. Finally, is your client certificate having Client Authentication in
Extended Key Usage. Your CA should be generating Client Authentication EKU
certificates to be picked by anyconnect client and used for authentication.

KevinYounil1 · ‎01-03-2018

Hi Mohammed,

Thank you for your reply.

I checked your recommendations and it is working now but the problem is: it is still verifying user certificate not Computer certificate. How can I set to verify computer certificate instead?