Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5037
Views
0
Helpful
8
Replies

AnyConnect with Computer certificate authentication

KevinYounil1
Level 1
Level 1

‎01-08-2018 05:29 AM - edited ‎03-12-2019 04:53 AM

Hello,

I have successfully implemented Anyconnect in our network, I am using user certificates and ACS for authentication. I face an issue when I try to use computer certificate instead of user certificate for authentication. I should mention that I have tested following options in any connect client profile:

Certificate Store: All and Machine

Certificate Store Override enabled.

Has anyone any idea about that?

 

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-08-2018 05:37 AM

Could you provide details on the issue you are facing? Are you getting any particular error message or is it not picking up the certificate from the machine store? 

0 Helpful

KevinYounil1
Level 1
Level 1
In response to Rahul Govindan

‎01-08-2018 05:45 AM - edited ‎01-08-2018 06:04 AM

Hi Rahul,

It's like there isn't any valid certificate on the client, I get this error message when I change Certificate Store to Machine.

11611-config-double-authen-06.png

 

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to KevinYounil1

‎01-08-2018 08:00 PM

Can you look in your machine and make sure that your machine download the
anyconnect profile with machine certificate setting
0 Helpful

KevinYounil1
Level 1
Level 1
In response to Mohammed al Baqari

‎01-09-2018 07:23 AM

Hi Mohammad,

 

Yes I did, it is downloading the new profile and setting shows store has been set to Machine.

0 Helpful

Rob Ingram
VIP
VIP
In response to KevinYounil1

‎01-09-2018 09:52 AM

Are you logged in and attempting to connect to the VPN as a non-admin user? Only an administrator can access the local certificate store. Quick test, open an MMC attempt to add the certificate snap-in, if you can only select "Certificates - Current User" then the user you are logged in as is a non-admin user and cannot access the computer certificate store.

 

FYI, In my lab, I am using a machine certificate with AnyConnect VPN client and this works fine, however I'm logged in using an administrator.

 

HTH

0 Helpful

KevinYounil1
Level 1
Level 1
In response to Rob Ingram

‎01-09-2018 12:24 PM

No I am Admin on the client and able to see the computer certificate. Does getting authenticated with user certificate mean that certificate configuration is correct on ASA? I mean trustpoints, . . .

0 Helpful

KevinYounil1
Level 1
Level 1
In response to KevinYounil1

‎01-12-2018 07:49 AM

has anyone any guide to verify the steps for certificate authentication?

0 Helpful

silvpietr
Level 1
Level 1
In response to KevinYounil1

‎11-11-2021 01:07 AM

Hi!

 

This is an old topic, but I suspect you do not have the ROOT CA which has signed the Machine Cert in your Appliance/ACS (not sure how your ACS policies are for Auth/Authorization - but certificates are usually verified on the appliance level and then the cert attributes are extracted, mapped and sent to ACS/ISE for validation against an identity store). Make sure you look for the gateway logs and you should see there the reasons.

 

HTH.

 

0 Helpful
Customers Also Viewed These Support Documents