cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
0
Helpful
4
Replies

anyconnect VPN certificate authentication Local and External CA

alexdelangel
Level 1
Level 1

Hi Team,

 

I hope you are doing well! I´ve got a question with you, hope you can help me. We´ve got an 8.4(6) 5550 ASA concentrating anyconnect VPN´s authenticating via local CA certificate. Since we want to perform failover, so we must change to an external CA.

 

The question is, if I can create a new VPN profile (tunnel-group) and authenticate via the new external CA, while keeping in the other profile the authentication with the local CA. I mean, can both local and external CA live at the same time? Can I authenticate one tunnel-group via the certificate of the local CA, and authenticate the second tunnel-group via the certificate of the external CA?

 

Plase, feel free to request as much information as needed. Any comment of documentation will be appreciated.

 

Best Regards!

4 Replies 4

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Alex,

If you have two tunnel groups using two different trustpoints (using two different certificates), there shouldn't be a problem. You have can have multiple CA certs.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi Fnu,

 

Thank´s for the answer, I´ve tried to find a config guide for this but not succeeded. Since the tunnel-group configuration there is not an option to specify wich certificate to use, I mean the commands just would be:

 

tunnel-group certgroup webvpn-attributes
 authentication certificate
 

So, I haven´t found how to specify to another tunnel-group to authenticate with another certificate, have you find a config guide?

 

Best Regards,

Hi Alex,

Oh its anyconnect. I am sorry i somehow read it to be a normal lan to lan tunnel. I am not too sure about anyconnect. Let me check and get back to you. I think you should still be able to do it when you configure tunnel ipsec attributes.

 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

 

Hello alexdelangel,

 

As long as you have the CA certificate installed in the ASA of the new identity certificates that your users are using for authentication, you should be able to authenticate all of them in any VPN profile. Unfortunately, you can't assign a specific trustpoint per VPN profile in AnyConnect (like you would do in IPsec) but you can force certain certificates characteristic for a specific connection profile (tunnel-group) using certificate mapping.

 

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc16

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: