Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2887
Views
0
Helpful
1
Replies

ASA - Anyconnect CAC (Smart Card) Authentication

BrianColemangr8
Level 1
Level 1

‎08-11-2017 04:20 AM - edited ‎02-21-2020 09:24 PM

Running ASA 9.1.7.9, AnyConnect 4.3.05017.

Here's the situation:

Users have been able to use Anyconnect and get access to our LAN with no issues using their CAC (Common Access Card or Smart Card) to authenticate and bring the tunnel up.  Great.  Now we have a situation where the same users received a new CAC and are no longer able to authenticate.  These same users are able to logon locally to the same domain that the ASA uses for CAC authentication. 

So we know LDAP is functioning correctly because the older cards work.  We also know that the new cards work locally because the users can logon to the same domain used by the ASA to authenticate old and new card users. 

Has anyone seen this issue before or have any suggestions. 

Card types for old and working are:

Gemalto DLGX4-A

Oberthur ID One 128 v5.5

New Card Types:

Oberthur ID One 128 v5.5a

Note: Using the same card reader for all the cards:

SCR3310 v2.0

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎08-11-2017 11:27 AM

Has the certificate issuer changed with the new CAC card? You might want to run a debug on the ASA when authenticating with the new CAC card:

"debug crypto ca 3"

Also another aspect could be that the Anyconnect client is unable to read the client certificate from the new CAC card, thus failing certificate authentication. A DART would prove useful to see if this is the case. Collect DART using these steps and look under the "Anyconnect.txt" for the last connection:

https://supportforums.cisco.com/document/12747756/how-collect-dart-bundle-anyconnect

0 Helpful
Customers Also Viewed These Support Documents