Solved: Anyconnect with Client Cert Authentication

s1nsp4wn · ‎08-23-2019

ASA 9.8.3

I'm trying to setup certificate-based authentication for AnyConnect and running into errors "CRYPTO_PKI: No Tunnel Group Match for peer certificate. CERT_API: Unable to find tunnel group for cert using rules (SSL)" AND "CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number..."

The issuer CA of the certs is the same for client and server. I'll paste my config below, sanitized. What am I missing? Or is this a cert issue?

group-policy vpn_test internal
group-policy vpn_test attributes
wins-server value 1.2.3.4
dns-server value1.2.3.4
vpn-idle-timeout 540
vpn-session-timeout 1560
vpn-tunnel-protocol ssl-client
group-lock value vpn_test
default-domain value example.com
webvpn
anyconnect profiles value vpn_test type user
anyconnect ask none default anyconnect

!

tunnel-group vpn_test type remote-access
tunnel-group vpn_test general-attributes
authentication-server-group server
accounting-server-group server
dhcp-server 1.1.1.1
tunnel-group vpn_test webvpn-attributes
authentication certificate
group-url https://myurl.com enable

Francesco Molino · ‎08-26-2019

Here it seems you have a certificate validation issue between client and asa.
What kind of certificate are you using on your client side and what certificate have you imported in your asa?
Can you show the output of both certificates? (Remove any confidential things before pasting).

You're maybe missing one piece of the chain to be validated by asa.
To extract cn and authenticate the user for authorization, you can use a certificate map. Here a link which can help:
http://www.labminutes.com/sec0127_ssl_vpn_anyconnect_client_certificate_double_authentication_1

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-24-2019

Hi
You want to authenticate based on certificate or use the cn in your cert to authenticate the user?
Why do you authentication server on your general attributes?

Do you have the trustpoint configured?
Are you using a certificate map?

Did you run a debug? Can you share it please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

s1nsp4wn · ‎08-26-2019

I want to authenticate based on certificate, then based on ISE authorization once certificate is authenticated. I was under the impression listing common name in the configs would help in authentication process but i'm likely wrong. i'm using the tunnel group, group policy, and trustpoint. the trustpoint uses a root ca same as the client certificate. I've tried full chain and still no luck. Here's a snippet of the syslog error:

%ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: #, subject name: x.
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to validate chain.
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: #, subject name: cn=3590a9ba-6b10-4d18-9861-ff94431c01c9, issuer name: x

Debug logs:

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=#, digest=

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints for connection type SSL

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: #

CRYPTO_PKI: No suitable TP status.

CRYPTO_PKI: Begin sorted cert chain
---------Certificate--------:
Serial: #
Subject: cn=x
Issuer: cn=x
---------Certificate--------:
Serial: #
Subject: e=x
Issuer: cn=x

CRYPTO_PKI: End sorted cert chain
CRYPTO_PKI: Cert chain pre-processing: List size is 2, trustpool is not in use
CRYPTO_PKI: List pruning is not necessary.
CRYPTO_PKI: Sorted chain size is: 2

Francesco Molino · ‎08-26-2019

Here it seems you have a certificate validation issue between client and asa.
What kind of certificate are you using on your client side and what certificate have you imported in your asa?
Can you show the output of both certificates? (Remove any confidential things before pasting).

You're maybe missing one piece of the chain to be validated by asa.
To extract cn and authenticate the user for authorization, you can use a certificate map. Here a link which can help:
http://www.labminutes.com/sec0127_ssl_vpn_anyconnect_client_certificate_double_authentication_1

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

s1nsp4wn · ‎08-27-2019

It's a wildcard certificate for the client that has client/server usage for eku and app policy. It's a full chain with private key. I am also using the same for the ASA. Oddly enough once I rebooted my test laptop, all start working. Now I'm trying to figure out what has changed or if anyconnect was just acting flaky. Are certificate maps needed for certificate authentication or just a way of separating functions? Also, I'm assuming the client needs to trust the same issuing authority that the firewall trustpoint does.

Francesco Molino · ‎08-28-2019

Certificate-maps aren't required but best to be used if you want to use certain fields to be checked against a radius a server for exemple or to set the right group-policy based on a specific field on ASA.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

s1nsp4wn · ‎08-28-2019

Awesome thank you. Got it working. I think the issue was client needed not only to trust the full chain on the asa, but also the asa identity itself. That or rebooting my pc fixed anyconnect.