Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3836
Views
0
Helpful
5
Replies

AnyConnect Client Certificate Firepower FTD

Go to solution
leighharrison
Level 7
Level 7

‎11-17-2020 02:16 AM

Hello folks,

 

When configuring Client-Certificate for AnyConnect VPN on Firepower, what does the FTD use to evaluate the Client Certificate?

 

I have the Root CA and Sub CA certs in the FMC under Trusted CA's, but I'm still getting authentication failure on Cert Only Authentication.  On the end user device it is saying no valid certificates available for authentication.

 

Best, Leigh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to leighharrison

‎11-20-2020 08:18 PM

I believe AnyConnect will look in the personal certificates folder of the respective store (User or Local Computer) that you've specified in the profile.

Local Computer certificate storeLocal Computer certificate store

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kapydan88
Level 4
Level 4

‎11-18-2020 01:57 AM

Hello.

 

Can you describe more exactly - how you generated caertificates and uploaded it inti FMC.

0 Helpful

Go to solution
leighharrison
Level 7
Level 7
In response to kapydan88

‎11-20-2020 04:56 AM

Hi,

 

I've got the certificate of the Root CA and the Sub CA and imported them into the FTD via FMC as PKCS12 in Devices > Certificates and their status is good.

 

Best, Leigh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-19-2020 10:31 AM - edited ‎11-19-2020 10:32 AM

In the VPN profile you should have specified for the client to use User, Machine or either certificate for authentication. The AnyConnect profile will then look in the local certificate store(s) for a certificate to present to the FTD headend.

0 Helpful

Go to solution
leighharrison
Level 7
Level 7
In response to Marvin Rhoads

‎11-20-2020 04:02 AM

Hi Marvin,

 

I've got that all set up with the certificate in the machine store and the profile set to request the machine cert, but it still comes back with "No valid certificates available for authentication".  Is there a specific certificate store anyconnect looks at?

 

Best, Leigh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to leighharrison

‎11-20-2020 08:18 PM

I believe AnyConnect will look in the personal certificates folder of the respective store (User or Local Computer) that you've specified in the profile.

Local Computer certificate storeLocal Computer certificate store

0 Helpful
Top