cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7778
Views
20
Helpful
13
Replies

Anyconnect VPN with Microsoft CA and a Public certificate

Hi there,

 

I'm looking for a bit of help with a scenario. I'm no networking expert by any stretch and I won't be implementing this myself but I need to try and understand if what I'm looking for is possible.

We're implementing an Anyconnect VPN with certificate authentication from our own internal Microsoft CA. I have a product that will distribute certificates from a template to the mobile devices rather than the ASA itself. We've got the our CA certificate and an identity certificate on the ASA and the authentication works.

However, the Anyconnect IOS app complains of an untrusted VPN.

So from there I get that I need a public certificate on the ASA, but can I still have the Microsoft CA certificate and identity certificate doing the authentication of the end users?

I may have worded some of that wrong but I think that gives an idea of where I'm trying to go.

Any pointers would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - IOS is a bit finicky about not wanting to trust internal CA-issued certificates. You can purchase and install a certificate from a well-known public CA and use that to identify your ASA. That will be the certificate bound to the ASA outside interface and it will allow IOS-based (and all other) clients to connect using that certificate.

That part is distinct from the device or user certificates on the clients. Those can still be used and, as long as the ASA has imported the server public key and trusts the Microsoft CA, both can co-exist.

View solution in original post

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - IOS is a bit finicky about not wanting to trust internal CA-issued certificates. You can purchase and install a certificate from a well-known public CA and use that to identify your ASA. That will be the certificate bound to the ASA outside interface and it will allow IOS-based (and all other) clients to connect using that certificate.

That part is distinct from the device or user certificates on the clients. Those can still be used and, as long as the ASA has imported the server public key and trusts the Microsoft CA, both can co-exist.

Thanks for the reply Marvin.

Does that mean that my ASA will have two CA's listed?

You're welcome.

Only one certificate (issued by one CA) is used as the ASA's identity certificate. 

Hi Marvin and stuart.mackillop

Was yours trouble solved?

I have problem when I deploy Asa AnyConnect for my users.Can you help me solve it?

i have internal CA Server. Asa uses the CA certificate.

With windows machine users, after trust the CA, i can easily create certificate request file , import and issue it at CA server, and export that certificate to file and import it at the user machine. User can use anyconnect with Cert.

But with mobile device users (IOS and Android), i don't know how to create certificate for them.

Pls help me slove this or Do you have any recommendations for this?

Thanks

tahequivoice
Level 2
Level 2

Other than adding a layer of complexity with a MS CA server for distributing certificates to end users, what benefit would it be aside from adding users through AD?  What does it do that the built in CA server on the ASA doesn't?

 

Is there an advantage, or disadvantage?

Many organizations prefer to administer user accounts from a central directory service.

One good reason for doing so is that there are then fewer touch points for adding and removing users - and presumably better chances that their account is removed when they are no longer with the company. They may have procedures and controls for doing so in place that allow them to better secure their infrastructure and meet regulatory or legal requirements.

If we use the ASA CA, it puts that burden on the ASA administrator. Depending on their background and the environment, they may have little or no certificate experience.

How does that work then, If the ASA issues the certificate, is it based on the Public CA that is used for the trustpoint? If the MCS issues, what is it based on, and how is the certificate then issued to the end user?

 

I have setup a certificate server on MS via third party, and it was a PITA to get working, and when something changed, it was another PITA to get resolved.

If we use the ASA CA, it issues certificates based on its own root. That's distinct from any public CA root that may have issued an identity certificate to the ASA.

If clients' certificates are issued from an internal server (e.g. Certificate Services running on Microsoft Windows server  or some other internally-managed PKI product) they can get those certificates via the ASA (proxying web enrollment via SCEP) or have them issued deployed using an enterprise software deployment scheme. In that case, the that PKI service's root certificate must be trusted by the client - again either via manual install or via pushing the settings out remotely.

In either case, the Windows server can revoke user certificates or delete users, as necessary.

Is there a doc with this setup for Anyconnect mobile using OnDemand for Jabber? Reason I'm asking is a customer wants to use AD for sending the certificates.

is this what you're looking for?

 

http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/guide_c07-717020.pdf

What I am looking for is the configuration guide on setting up the Microsoft portion. I have the ASA fully working and sending certs, but the end user who maintains the users, cannot get ASDM to load due to Java issues, and would rather do it all through AD instead.

 

I just dont know what key words to use to look for the correct docs.

I'd suggest raising a new topic then asking the question. However, you're probably looking for a microsoft document rather than a Cisco one. Then you're looking for a method to distribute your certificates to the client devices.

Spot on Marvin. explains exactly why I needed it.

I've now got my public SSL cert in place with no more annoying warnings. My internal certificates from my PKI infrastructure are working for authentication.

All seems pretty good except now I'm getting a FIPS error when the iPads connect. You fix one issue and then another appears. Thanks a lot for your help.