cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3996
Views
0
Helpful
2
Replies

AnyConnect with Certificate and Start Before Login

sjbdallas
Level 1
Level 1

We are using AnyConnect 2.4.1012 with a public key user certificate.

If the user has logged into their machine, plugs in their key, and starts anyconnect, everything works fine.

If we try to use "Start Before Login" we get a "certificate is invalid for this group" error. 

SBL works fine if we use any other form of authentication (LDAP, SecurID, etc).

Any ideas?

2 Replies 2

Todd Pula
Level 7
Level 7

For certificate authentication to work with SBL, the client certificate will need to be available in the machine store so that the AnyConnect client can access it.  If the certificate is present in the machine store but AnyConnect does not have rights, you can try to update the AnyConnect XML profile to include the switch below.

true

I am trying to make my NPE Certificate and and Cisco SBL get along....

 

I have Cisco AnyConnect installed with only with VPN and SBL. In addition I also have NPE machine cert installed as well.

 

I can log into the laptop (Windows) on the corporate land line (CAT6) network and create my profile on the laptop. I can also drop off the land line and connect to the corporate Wi-Fi via the NPE certificate with no issue. I can also drop off the corporate Wi-Fi and corporate land line and authenticate via the VPN  and works perfect as well... On my VPN xml profile I have <CertificateStore>User</CertificateStore> for my VPN to work. and for the NPE to work I have a machine cert in the Local Computer Personal Certificate.

 

  • So, now if I reboot and try to use SBL I get "Certificate Validation Error"
  • If I log back in, change <CertificateStore>All</CertificateStore>, I still get the "Certificate Validation Error" and on the VPN I get IPSec VPN Connection error...

Now, if I go in and delete the NPE Certificate from my laptop, and have the VPN xml file to <CertificateStore>All</CertificateStore> both the SBL and VPN work with no issue.

If I modify the cert store pointer to User <CertificateStore>User</CertificateStore>, SBL has "Certificate Validation Error" but VPN works with no issue.

 

Trying to figure out where in the VPN XML file I can modify so that the SBL looks in the User cert store so that NPE and SBL can coexist.... Please assist...

 

Thank You