Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
7
Replies

ASA Secure-client Machine Cert Authentication

Go to solution
Najib Akbari
Level 1
Level 1

‎11-19-2025 05:34 PM

I have and ASA configured for AlwaysON SSL-VPN Certificate Authentication which is working fine but I want to change to computer based Authentication and the change I made is changed connection profile -> Primary field --> changed from  "UPN" to "CN" and its failing. please help.

NajibAkbari_0-1763602445370.png

 

also, what do you think of changing from user based cert to machine based cert Authe. is it better security wise? the reason i want to change is because if its user based then the user at least have to login one time and add cert or push it auth from domain. though? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Najib Akbari
Level 1
Level 1

‎11-21-2025 04:59 PM

For anyone needs to know and might help them:

its fixed!

it turned out to be Public key RSA key length on computer 1024 mismatched with ASA RSA key length 2048. changed the policy on domain for computer cert to 2048 and request the new cert on windows machine, then AlwaysOn VPN based on computer cert started working

NajibAkbari_0-1763772767269.png

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Najib Akbari
Level 1
Level 1

‎11-20-2025 10:02 AM

Please help me know what requirements I add and or change to switch from user cert Authentication to Windows computer cert Authentication?

 

0 Helpful

Go to solution
Najib Akbari
Level 1
Level 1

‎11-20-2025 10:04 AM

Also, Please let me know if Better to keep ASA as local Authentication there or move it to ISE? right now ASA does authentication and ISE does Authorization

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-20-2025 10:08 AM

@Najib Akbari Why not use double authentication? - computer certificate + AAA authentication via ISE using the users AD credentials. That would be more secure than just computer or user certificate authentication.

0 Helpful

Go to solution
Najib Akbari
Level 1
Level 1
In response to Rob Ingram

‎11-20-2025 10:41 AM

I agree, its just for the user convenienca for now they want computer cert auth. which Im having issue bringing it up

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Najib Akbari

‎11-20-2025 10:48 AM

@Najib Akbari run debugs and provide the output for review.

debug webvpn AnyConnect 255
debug crypto ca 255
0 Helpful

Go to solution
Najib Akbari
Level 1
Level 1
In response to Rob Ingram

‎11-20-2025 11:04 AM

the only output from CLI:
SSL verify callback: Key exchange algorithm extracted from SSL Cipher

 

and the always on profile:

NajibAkbari_0-1763665422059.png

 

0 Helpful

Go to solution
Najib Akbari
Level 1
Level 1

‎11-21-2025 04:59 PM

For anyone needs to know and might help them:

its fixed!

it turned out to be Public key RSA key length on computer 1024 mismatched with ASA RSA key length 2048. changed the policy on domain for computer cert to 2048 and request the new cert on windows machine, then AlwaysOn VPN based on computer cert started working

NajibAkbari_0-1763772767269.png

 

0 Helpful
Customers Also Viewed These Support Documents