01-08-2018 05:29 AM - edited 03-12-2019 04:53 AM
Hello,
I have successfully implemented Anyconnect in our network, I am using user certificates and ACS for authentication. I face an issue when I try to use computer certificate instead of user certificate for authentication. I should mention that I have tested following options in any connect client profile:
Certificate Store: All and Machine
Certificate Store Override enabled.
Has anyone any idea about that?
01-08-2018 05:37 AM
Could you provide details on the issue you are facing? Are you getting any particular error message or is it not picking up the certificate from the machine store?
01-08-2018 05:45 AM - edited 01-08-2018 06:04 AM
Hi Rahul,
It's like there isn't any valid certificate on the client, I get this error message when I change Certificate Store to Machine.
01-08-2018 08:00 PM
01-09-2018 07:23 AM
Hi Mohammad,
Yes I did, it is downloading the new profile and setting shows store has been set to Machine.
01-09-2018 09:52 AM
Are you logged in and attempting to connect to the VPN as a non-admin user? Only an administrator can access the local certificate store. Quick test, open an MMC attempt to add the certificate snap-in, if you can only select "Certificates - Current User" then the user you are logged in as is a non-admin user and cannot access the computer certificate store.
FYI, In my lab, I am using a machine certificate with AnyConnect VPN client and this works fine, however I'm logged in using an administrator.
HTH
01-09-2018 12:24 PM
No I am Admin on the client and able to see the computer certificate. Does getting authenticated with user certificate mean that certificate configuration is correct on ASA? I mean trustpoints, . . .
01-12-2018 07:49 AM
has anyone any guide to verify the steps for certificate authentication?
11-11-2021 01:07 AM
Hi!
This is an old topic, but I suspect you do not have the ROOT CA which has signed the Machine Cert in your Appliance/ACS (not sure how your ACS policies are for Auth/Authorization - but certificates are usually verified on the appliance level and then the cert attributes are extracted, mapped and sent to ACS/ISE for validation against an identity store). Make sure you look for the gateway logs and you should see there the reasons.
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide