Hi everyone,
recently I came across an interesting issue: with AnyConnect, I can not connect to ASA, while with OpenConnect (http://www.infradead.org/openconnect/) the connection works like a charm.
The difference is in the way both clients handle client certificates. While OpenConnect uses a certificate it is given on command line, AnyConnect follows a lot of rules while selecting a certificate from personal certificate store, finally choosing none. The error message is "No valid certificates available for authentication."
What I find interesting is that with the same certificate I am able to successfully connect to ASA using WebVPN (clientless VPN). This makes me believe that the certificate is a valid one from the perspective of ASA. ASA accepts connections with this certificate using both OpenConnect and WebVPN. However, AnyConnect refuses to use the same certificate for authentication. AnyConnect does not even send the certificate to ASA.This is apparent from ASA logs: they state "%ASA-7-717038: Tunnel group match found" for OpenConnect connections, but for AnyConnect, they do not mention the "certificate" word at all.
So far I have tried three different versions of AnyConnect: 2.5.3055, 3.1.00495, and 3.1.02043, all on Windows XP. ASA OS version is 8.4(2).
I have read release notes for AnyConnect and checked both the server (ASA) and the client certificate. They seem to satisfy all requirements stated in the release notes. Anyway, I would like to kindly ask the bright people in this forum to review the certificates and possibly spot an issue I may be overlooking.
The client certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:96:cc:45:00:00:00:00:0a:8f
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=cz, DC=quux1, CN=CA QUUX1 Internal 2
Validity
Not Before: Feb 20 12:24:34 2013 GMT
Not After : Feb 20 12:24:34 2015 GMT
Subject: DC=QUUX1, OU=VPN_Temp, CN=Lotrando Jindrich
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
3D:EE:2B:03:43:9F:07:BC:03:72:31:9E:5B:8F:7C:D3:C4:7F:B0:29
X509v3 Authority Key Identifier:
keyid:11:D0:54:3E:BC:F8:27:61:63:FB:92:4C:95:F5:0C:C8:CC:31:FD:90
The server (ASA) certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:1e:30:c7:00:00:00:00:08:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=cz, DC=quux1, CN=CA QUUX1 Internal 2
Validity
Not Before: Mar 12 12:08:16 2012 GMT
Not After : Mar 12 12:08:16 2014 GMT
Subject: DC=QUUX1, CN=foo1.quux1.cz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
C9:A9:C6:9A:FC:D4:49:FB:AB:ED:77:AA:E7:D3:8C:AA:28:4E:B5:28
X509v3 Authority Key Identifier:
keyid:11:D0:54:3E:BC:F8:27:61:63:FB:92:4C:95:F5:0C:C8:CC:31:FD:90
The ASA requires clients to authenticate using both the certificate and username+password. With WebVPN it works, with AnyConnect it does not.
I have also tried to create an AnyConnect client profile on the ASA specifying conditions the client certificates must meet. However, there is a little Head XXII in there, because the profile can be downloaded and used only after successfully connecting to the ASA. So for the profile to help AnyConnect to connect, one has to manually place the XML file in the right directory on the client PC. Which I tried, but to no avail.
I have read a lot of articles here on Support Forums as well as bug descriptions in the Bug Toolkit. However, I could not find any solution or workaround which would help.
I would be very grateful for any advice!
Thank you for your attention.
Kind regards,
Rostislav Opocensky
checked—Allows AnyConnect to search a computer's machine certificate store even when the user does not have administrative privileges.
