cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Anyconnect Client Certificate

tcollins2015
Beginner
Beginner

Can someone advise on what type of certificate is needed on the client machines. We are using an internal MSFT CA configured w. our ASA. Are there any instructions on the type of certificate template or any specific fields,etc needed for the clients which will just be home machines. We are not using SCEP so can we generate certs internally and supply to the clients as needed?

9 REPLIES 9

pjain2
Cisco Employee
Cisco Employee

please see the below link:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

the certificate type should be : user certificate

you can generate the certs internally and then install on the individual client machines

Does this configure use the Essentials or Premium license?  If essentials, can it used with CAC?

you would need an essential or a premium license if you want to connect more than 2 users.

Please specify what CAC is?

Well I have the essentials and trying to connect with certificates (CAC-common access card).  but I keep getting errors when using the LDAP with certificates.  No users are able to login without a ID/PSWD.  Which I cannot use.  Here is a copy of my config....

do you have the root cert on the ASA from which the client certs have been issued?

also is the trustpoint applied correctly on the outside interface?

please share the debug outputs of the following when the client tries to connect:

debug crypto ca messages 255

deb crypto ca transac 255

debug cry ca 255

 

 

 

yes the root cert is installed on the ASA.  along with this trust point

crypto ca trustpoint ID-Root

 

 

output of show run ssl

and the above mentioned debugs

Result of the command: "sh run all ssl"

ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint1 outside

 


Result of the command: "sh asp table sock"


Protocol  Socket    Local Address               Foreign Address         State
TCP       004467af  192.168.223.231:22          0.0.0.0:*               LISTEN
SSL       004470ef  192.168.223.231:443         0.0.0.0:*               LISTEN
TCP       0005692f  216.38.80.2:22              0.0.0.0:*               LISTEN
SSL       00c8b6cf  216.38.80.2:443             0.0.0.0:*               LISTEN
DTLS      0088911f  216.38.80.2:443             0.0.0.0:*               LISTEN
SSL       004b24c8  192.168.223.231:443         192.168.223.93:61633    ESTAB
SSL       000cfaa8  192.168.223.231:443         192.168.223.93:61640    ESTAB
SSL       004c9f18  192.168.223.231:443         192.168.223.93:62014    ESTAB

 

I am still getting that crypto errors and wounder if you have any ideas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: