ASA will not check for Anyconnect client revoked certs

pacavell · ‎04-03-2020

Customer using certification authentication for ASA Anyconnect VPN clients. They have also attempted to enable cert revocation either via CRL (revocation-check crl) or OCSP (revocation-check ocsp). Regardless of how they enable it clients can still authenticate with revoked certs. The ASDM log shows the following --> "certificate chain was successfully validated with warning revocation status was not checked." MS is the CA. ASA version is 9.6(3)1.

It seems the ASA thinks that it is NOT configured to check for cert revocation.

Any thoughts on what might be misconfigured? Thanks for any help.

VILLE LEINONEN · ‎04-04-2020

Hi,

Have you check what is the enabled CRL method (ldap/http) and what certificate told where CRL is published?

I had some cases where was access right problems in CRL server. There was IIS configuration that says you must

authenticate if you want to read CRL and when ASA tries to get CRL, then IIS gives access denied.

Also I suggest that you try to debug, command is (if I remember right) crypto ca crl request <Truspoint>

Here is nice article howto configure CRL checking: http://www.securesenses.net/2013/04/cisco-asa-certificate-revocation.html

Br,

Ville

Cristian Matei · ‎04-04-2020

Hi,

Either you're hitting a bug, to there is something misconfigured. Validate your OCP/CRL configuration, check this document for reference. Post the output of the following debugs, first for a user with a valid certificate, second for a user with a revoked certificate.

debug crypto ca transactions 7

debug crypto ca messages 7

Regards,

Cristian Matei.