02-03-2010 12:20 PM - edited 02-21-2020 04:29 PM
Hi all,
I would like to use SSL VPN (Anyconnect) with the following authentication setup on my ASA's 5510 in failover:
- AAA LDAP to authenticate my users on AD
- machine certificate authentication to verify if a corporate asset connects to the VPN
Without the machine certificate authentication, the setup works very well. All users can authenticate and the VPN connection is established.
As soon as I add the requirement for the machine certificate authentication, it doesn't work any longer.
I've tried this:
- uploaded my root CA certificate to the ASA
- in the properties of my connection profile, I've set the "authentication method" to both
- added the command "ssl certificate-authentication"
When I now try to connect with Anyconnect, I'm unable to select my connection profile. The "Group" field in the Anyconnect client is just blank.
After entering the username and password nothing happens.
After changing the authentication method on the ASA to "AAA", the connection profile shows correctly on the Anyconnect client and I'm able to login.
Any ideas? What are the necessary steps to configure machine certificate authentication + LDAP for Anyconnect SSL VPN?
Many thanks!
02-03-2010 12:54 PM
Hey there, this is what I got from our KB, seems you need to have Secure Desktop to enable certificate validation follow this procedure:
To check if a machine has a certificate before the user is even prompted
for a login, you will need to use secure desktop manager. Open up ASDM,
click on Remote Access VPN > Secure Desktop Manager > Setup and make
sure that you have secure desktop on the flash of your ASA and make sure
that the checkbox "Enable Secure Desktop" is checked. After that has
been checked, a tab called Prelogin Policy should come up. Click on
that and there should be a diagram that looks like the following:
Start ---->+Default
Click on the "+" sign next to the Default policy and change the check to
certificate and configure the certificate on what you want it to check
for.
Let us know how it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide