Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8644
Views
0
Helpful
2
Replies

AnyConnect Certificate Selection Popup Issue with AAA Only Authentication

Andrew Devine
Level 1
Level 1

‎12-21-2010 04:16 AM - edited ‎02-21-2020 05:02 PM

Hi,

Setup as below:-

Cisco ASA 5505

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(3)

Cisco AnyConnect Client 2.5.0217 

Basically I have the DefaultWEBVPNGroup connection profile configured for AAA only authentication to a RADIUS server.  The problem I have is that users are being prompted for Certificate Selection prior to entering their credentials.

I have tried various settings in the client profile, is there a way of disabling AnyConnect from automatically looking in the certificate store?

Depending on the laptop build, we may have user or machine certficates, so the three options of all, user or machine all cause issues.  I have certificate store override unchecked.

Any pointers?  Struggled to find anything on the forum.

Cheers,

Andrew

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-21-2010 04:57 AM

AnyConnect connection is on HTTPS (SSL), and it uses certificate.

Looks like you are just using the ASA self signed certificate, that is why the user is getting prompted for certificate. With ASA self signed certificate, the root CA cert is not preloaded into user's PC, as it is just a self generated certificate from your ASA.

If you do not want the user to be prompted for certificate, the user can install and save the ASA self signed certificate into the Root CA certificate store, and the next time he/she connects, they won't be prompted for certificate anymore.

Otherwise, you can purchase certificate from third party certificate vendor, like Verisign, etc. and they would have their Root CA certificate pre-loaded into most user's machine in the certificate store, and user will never be prompted for certificate as it is trusted.

0 Helpful

Andrew Devine
Level 1
Level 1
In response to Jennifer Halim

‎12-21-2010 07:00 AM

Hi,

Thanks for the reply but this is related to client authentication by the ASA, not clients authenticating the ASA itself.

I think I have identified a bug as I have fixed this now.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wp1083467

However, when I uncheck 'Disable Cert Selection' it stops prompting the user. The logic here needs to be reveresed or changing to 'Enable Cert Selection'.

Andrew

0 Helpful
Customers Also Viewed These Support Documents