09-13-2012 04:30 AM - edited 02-21-2020 06:19 PM
Hi,
I am configuring a VPN solution for a large organisation. I have selected AnyConnect as product of choice as it is the natural successor to the current IPSec client.
The design criteria states that the solution should take advantage of the "Always On VPN" function to allow roaming between trusted and non-trusted networks. Equally the user authentication piece should be 'transparent' (i.e. non-interactive) and should use an existing internal (PKI) machine certificate to achieve this requirement.
I have a public certificate installed and bound to the external interface of the VPN (ASA5540). This resolves correctly to the URL of the VPN service. This is an external certificate and not from the PKI. I have configured the internal PKI certificate as the 'fallback' certificate.
Each user machine has certificates automatically enrolled and stored in the machine store of their Windows 7 laptops. I have configured a connection profile (tunnel-group) that uses "certificate" as the authentication mechanism. I have also configured an AnyConnect Client Profile with correct certificate store selection and always on VPN configuration.
The initial session builds but fails at the user authentication point. I am now concerned that because the external certificate is used to build the tunnel-group, the user authentication part will be using the same certificate which will fail.
Any thoughts on this please?
09-13-2012 04:36 AM
You are only saying that you installed an identity-cert from your internal CA. Have you also installed the corresponding root-certificate in the ASA?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-13-2012 04:57 AM
Hi
If I was you I would just try to show to the client how always on VPN works since I have noticed that it does not create a very user friendly experience and sometimes becomes really annoying with all the alert messages.
Sent from Cisco Technical Support iPad App
09-13-2012 05:27 AM
Hi,
In order for the certificate authentication to work you need:
1- A user certificate on the client machine.
2- The Root certificate from the CA server installed in the ASA.
Check this doc:
AnyConnect Certificate Based Authentication
Let me know if you have any questions.
Portu.
Please rate any post you find helpful.
09-13-2012 06:02 AM
Hi All,
Thanks for responding -it is appreciated.
I do have the internal CA root certificate for the trusted PKI installed and available. I also have an internal device identity certificate for the ASA5540 installed.
The client machines only have a machine certificate installed (no user cert) in the default machine store of the Windows 7 build. I do not believe this will be a major problem as long as the AnyConnect profile is configured to search the machine store -which it is.
I have read the document and -unfortunately- has not really cleared my mental block .
Here's what I think should happen -please correct me if I am wrong....
1. Trusted device connects via wired or wireless on pre-defined networks contained in Network Manager profile (.nsp)
2. Trusted device roams to non-trusted network (external/hotel/home) and upon receiving an IP address the VPN client is immediately engaged (either visible or SBL)
3. SSL tunnel is built to the external interface of the VPN -this is the external public certificate (Verisign/Thawte etc)
4. User authentication via pre-configured tunnel-group should leverage VPN profile editor (.xml) and checks machine certificate store
5. Machine certificate is retrieved/copied/cached and then parsed against root CA on ASA for matching string
6. Match found and access granted
7. Network access policy downloaded to client
8. Hi ho, Hi ho...it's off to work we go... ...
From step 4 I am having problems....
I have asked for a new certificate on the external interface as the one I am using may be causing issues - I am currently waiting for that now. But if you have any other thoughts I would be a happy man....
Cheers
09-13-2012 06:15 AM
The outside certificate does not have place during the certificate authentication.
The user's certificate and the Root certificate installed in the ASA should come from the same internal CA server.
If you have moved the certificates to the machine store, then make sure you have the correct path in the AnyConnect XML file.
Run "debug crypto ca 255" on the ASA and try to connect with the AnyConnect, attach the output.
Thanks.
Portu.
09-13-2012 06:16 AM
have you checked the option "Certificate Store Override" in the profile?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-13-2012 06:38 AM
Please check Karsten's question and if you have it checked, then proceed with the information that I requested in my previous post.
Thanks.
09-13-2012 07:57 AM
Hi Guys,
"The outside certificate does not have place during the certificate authentication" - this statement makes me happy ...
I thought this was the case, but had started to doubt myself.....
I definitely have the root CA installed on the ASA and the clients have the certificate installed in their machine store because this certificate is already used for transparent wireless authentication which works OK.
In the VPN policy editor, I believe I have the settings correctly selected i.e. force machine store search and I have also unchecked 'Disable Automatic Certificate Selection' so that automatic certificate selection cannot be interrupted by the user.
I think my problem stems from having a second root CA certificate installed. This root CA is mapped to another public certificate (that was existing from previous VPN solution) and maybe this one was being parsed first and not matched. I am guessing that a 'no match' condition immediately disconnects the user connection rather than allow an extended period of time for potential intrusion?
Once I get the new external certificate (probably tomorrow now) I will (a) remove the old root CA and (b) set the debug going and try again. If I get any issues I will report back.
Thanks for your patience....
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide