ASA AnyConnect always checks the certificate of the client (is solved!)

Anton Pestov · ‎09-18-2012

Even if was configured "authentication aaa" in tunnel-group, ASA always check the users certificate:

- if connect before Logon (Win) (use SBL-feature) without "ssl certificate-authentication interface OUTSIDE port 443" - Error: "Connection attempt failed. Please try again.", connection failed;

- if use SBL-feature with "ssl certificate-authentication interface OUTSIDE port 443" - No valid certificates... Error: "Internal Error (client certificate error)", connection failed.

- if connect after Logon - No valid certificates available for authentication... and window to enter Username and Password (authentication aaa), connection successful.

Why ASA always checks certificate, even if "authentication aaa" only was configured?!

P.S.:

- Windows 7

- ASA5510 (lastest IOS)

- AnyConnect 3.0 (lastest version)

Anton Pestov · ‎09-19-2012

There are few steps for a solution:

1. For SBL-feature surely is required to enable client certificate authentication on ASA. Command, for WebVPN default-port:

!

ssl certificate-authentication interface OUTSIDE port 443

!

2. Trustpoint, ASA certificate and FQDN of VPN (where the AnyConnect client is connected), must have the identical appropriate FQDN/subject-name parameters, for example:

!

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address

!

crypto ca trustpoint TRUSTPOINT-ASA

revocation-check crl none

enrollment url http://:80/certsrv/mscep/mscep.dll

fqdn ..

subject-name cn=,dc=,dc=,o=,l=

ip-address

password *

keypair TRUSTPOINT-ASA

no client-types

!

ssl trust-point TRUSTPOINT-ASA

ssl certificate-authentication interface OUTSIDE port 443

!

ASA# sh crypto ca certificates TRUSTPOINT-ASA

Certificate

Status: Available

Certificate Serial Number: ....

Certificate Usage: General Purpose

Public Key Type: RSA (1024 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

...

Subject Name:

cn=

o=

l=

dc=

hostname=..

ipaddress=

...

Associated Trustpoints: TRUSTPOINT-ASA

CA Certificate

Status: Available

Certificate Serial Number: ...

Certificate Usage: Signature

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

...

3. Using AnyConnect we are connected by FQDN (for example above, ".."), not by IP (otherwise there will be an error, see above).

Javier Portuguez · ‎09-21-2012

Hi Anton,

Actually, in order to authenticate your AnyConnect clients with an SSL user certificate, you do not need the "ssl certificate-authentication interface OUTSIDE port 443" command.

You can now define this per connection profile:

tunnel-group AnyConnect webvpn-attributes

authentication certificate

AnyConnect Certificate Based Authentication

On the other hand, to define a certificate on the outside interface (signature) then use the command:

ssl trustpoint MY_TRUSTPOINT outside

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

BTW, for AnyConnect SBL, the certificates should be moved to the machine store.

Let me know.

Portu.

Thanks.

Please rate any posts you that you find useful.

PD: It also applies for AnyConnect and not only for WebVPN. Message was edited by: Javier Portuguez