- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2020 02:16 AM
Hello folks,
When configuring Client-Certificate for AnyConnect VPN on Firepower, what does the FTD use to evaluate the Client Certificate?
I have the Root CA and Sub CA certs in the FMC under Trusted CA's, but I'm still getting authentication failure on Cert Only Authentication. On the end user device it is saying no valid certificates available for authentication.
Best, Leigh
Solved! Go to Solution.
- Labels:
-
AnyConnect
-
Remote Access
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2020 08:18 PM
I believe AnyConnect will look in the personal certificates folder of the respective store (User or Local Computer) that you've specified in the profile.
Local Computer certificate store
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2020 01:57 AM
Hello.
Can you describe more exactly - how you generated caertificates and uploaded it inti FMC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2020 04:56 AM
Hi,
I've got the certificate of the Root CA and the Sub CA and imported them into the FTD via FMC as PKCS12 in Devices > Certificates and their status is good.
Best, Leigh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2020 10:31 AM - edited 11-19-2020 10:32 AM
In the VPN profile you should have specified for the client to use User, Machine or either certificate for authentication. The AnyConnect profile will then look in the local certificate store(s) for a certificate to present to the FTD headend.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2020 04:02 AM
Hi Marvin,
I've got that all set up with the certificate in the machine store and the profile set to request the machine cert, but it still comes back with "No valid certificates available for authentication". Is there a specific certificate store anyconnect looks at?
Best, Leigh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2020 08:18 PM
I believe AnyConnect will look in the personal certificates folder of the respective store (User or Local Computer) that you've specified in the profile.
Local Computer certificate store
