Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1702
Views
0
Helpful
4
Replies

ASA - Client VPN with Digital Certificate Authentication

Aurecon Group
Level 1
Level 1

‎11-24-2010 06:17 PM

Hi

    I am facing a weird issue with ASA, we desire to setup client based authentication with the Microsoft CA server. The setup is complete, the client machine got a certificate and authenticates well with CA while logged in as an Administrator. However if logged in as a normal user, I couldn't connect as the Anyconnect client doesn't display prompts for keying the credentials. Please have a look at the attached snapshot for more details. Appreciate anyone help with this issue.

Regards

Ram.

Message was edited by: Aurecon Group - This issue is now resolved

Labels:
Preview file
201 KB
0 Helpful
4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

‎11-28-2010 02:31 PM

hi Ram

If you are using user certs, note that every user needs to have it's own cert (the screenshot shows that this user does not have a cert in its personal cert store).

If using machine certs, make sure the cert is in the machine store (and not in administrator's user store), and that <CertificateStoreOverride> is set to true in the profile (and that is set to either all or machine).

cfr. http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html#wp1061298

hth

Herbert

0 Helpful

Aurecon Group
Level 1
Level 1
In response to Herbert Baerten

‎11-28-2010 04:45 PM

Hi Herbert

     Thanks for the reply, really appreciate that. We are trying to deploy Machine certificate, I did confirmed that the cert is stored int the machine. It works well if login as an admin, but doesn't work if login as a normal user. <CertificateStoreOverride> is also set, but not working.

Regards

Ram

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Aurecon Group

‎11-29-2010 01:07 AM

ok, just to be sure: you do have set to either all or machine ?

Does the client download the profile ok? I.e. is the profile on the disk the same as on the ASA?

Last but not least, check the logs, there is a separate Anyconnect category of logs in the Windows Event Viewer. There should be log entries saying wich CertificateStore and CertificateStoreOverride settings are being applied, and possibly an entry telling you more about why it is failing.

hth

Herbert

0 Helpful

Aurecon Group
Level 1
Level 1
In response to Herbert Baerten

‎11-29-2010 04:24 PM

Hi Herbert

                    Finally we resolved the issue, with the help of cisco tech. We were missing the server details in the profile we created, on adding those details things are good. Thank you very much for your help.

Regards

RS

0 Helpful
Customers Also Viewed These Support Documents