Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
81951
Views
5
Helpful
22
Replies

Authenticating AnyConnect VPN client using certificates

Go to solution
Shaun Michelson
Level 1
Level 1

‎09-20-2010 09:33 AM - edited ‎02-21-2020 04:51 PM

Guys, I'm trying to configure my ASA5505 to authenticate  AnyConnect VPN clients by using certificates. I have 'Certificates' set as my authentication method in my AnyConnect Connection Profile (see attached screenshot), but I keep getting "Certificate Validation Failure" whenever I try to connect. The certificate I want to use is a Computer certificate issued from my Enterprise Root CA (Windows Server 2008 running Active Directory Certificate Services). Certificate screen shot is attached. I've added the Root certificate on the ASA, and I've tried all manner of combinations using Certificate Matching in the AnyConnect Client Profile. Every attempt has failed, and I'm having no luck finding documentation on how to procede. Any help would be greatly appreciated!

2 people had this problem
Labels:
Preview file
211 KB
72677-asa.conf.zip
Preview file
175 KB
Preview file
59 KB
Preview file
145 KB
0 Helpful
22 Replies 22

Go to solution
Craig Lorentzen
Cisco Employee
Cisco Employee
In response to Bel Marsad

‎10-05-2010 06:45 AM

Hello Belmar,

I am not sure if you have the same setup as Shaun, but if the certificate is in the Machine store, then how are we going to find it when the Profile is set to use the User store?

        true
        false
        User <-- This should be Machine or All.
        true

If that doesn't help then I would highly recommend opening a TAC case so that we can review DART logs and delve into this issue.
0 Helpful

Go to solution
Bel Marsad
Level 1
Level 1
In response to Craig Lorentzen

‎10-05-2010 07:05 AM

Hello,

We have both machine certif. and user certif.

So now I tunned a little the anyconnect profile and I am able to do the authentication with the user certificate, but web based broswer works only with IE7 doesnt work with FireFox 3

Thanks for your help

Belmar

0 Helpful

Go to solution
Craig Lorentzen
Cisco Employee
Cisco Employee
In response to Bel Marsad

‎10-05-2010 07:21 AM

Firefox uses it's own certificate store, not Microsoft's.  If you want Firefox to be able to use Cert Authentication you would need to install a Personal Certificate in Firefox.

0 Helpful

Go to solution
Shaun Michelson
Level 1
Level 1
In response to Craig Lorentzen

‎10-05-2010 08:17 AM

Okay, I was able to make some progress. It seems that my setup has been correct all along (I did have CertificateStoreOverride enabled and CertificateStore set to Machine). My problem appears to be that I had not yet downloaded the AnyConnect client to my test machine. In other words, I've been trying to test a first-time user scenario, from browsing to the SSL VPN Service website, to choosing my desired Group, to initiating the first-time download/install of the AnyConnect client, and finally connecting to the VPN. When I first browse to the website, I have the option of choosing my Group, and get a message that my client certificate will be used to log in (See attached file shot1.jpg). But when I click login, that's when I get the certificate validation failure.

So, I tried using a different group (one that only uses RADIUS authentication) just to see if I could generate some debug logs (because I wasn't seeing any using my cert-auth group). I installed the AnyConnect client and connected fine. When I went back to try testing my other (certificate-only-authentication) group using the AnyConnect client, it connected successfully.

So, my question now is, can authenticate to the ASA using just certificates before I've actually downloaded the AnyConnect client? It's really a moot point for me, since I can make sure company-issued laptops have everything they need beforehand (certificate and client installed). But for the benefit of others, would be nice to know if it could be done.

As a side-note, I still get the Certificate Validation Failure when trying to click Connect using the website, even after I've installed the AnyConnect client. But, if I skip the website and just try to connect using the AnyConnect client, it works fine. I'm thinking maybe this is a feature not available to me using an AnyConnect Essentials license...

Preview file
69 KB
0 Helpful

Go to solution
Craig Lorentzen
Cisco Employee
Cisco Employee
In response to Shaun Michelson

‎10-05-2010 11:12 AM

Hello Shaun,

The problem you are describing, not able to authenticate via certificate through Microsoft Internet Explorer, is because of the fact that the certificate is in the Machine store.  You would want to confirm with Microsoft but, it is my understanding that Microsoft Internet Explorer only users the User Store, as such the certificate is not available to be presented to the ASA through the web-browser.

-Craig

0 Helpful

Go to solution
Bel Marsad
Level 1
Level 1
In response to Craig Lorentzen

‎10-15-2010 06:18 AM

Hello,

So here some comments about all tests I have made with XP and W7 machine.

On XP and IE6 and 7 profile=user certificate authentication:- from web browser user certificate work, I have popup to choice certificate and can see only my user certificate. GUI side works also fine with user certificate selection.

On XP and IE6 and 7 profile=machine certificate authentication:- from web browser user certificate selected (this is strange thing even on the profile I have machine certificate mentioned, look like that from web browser the anyconnect don’t look at profile file). GUI side works also with machine certificate.

On W7 with IE8 Profile=user certificate authentication:- from web browser works well without popup to choice certificate but from GUI doesn’t work ??? don’t understand the issue J

On W7 with IE8 Profile=machine certificate authentication:- from web browser work with user certificate (like above with XP and machine certificate mentioned on the profile file, but without the popup to select certificate, strange thing for me, but it works J) from GUI popup to select certificate and I see only my machine certificate, but every time I have to click twice on the connect button to get connect ??

So if you have some advice or comment please don’t heisted

Bel

0 Helpful

Go to solution
dj1967
Level 1
Level 1
In response to Bel Marsad

‎10-23-2010 04:29 AM

Hi,

I have an issue with this too.  I am using the Anyconnect client on Windows Vista:  Anyconnect 2.5.1025, ASA 8.0.4.32.  I have an AD infrastructure successfully issuing certificates to machines and users, Offline root, sub CA etc..  I have setup a trustpoint on the ASA using the root cert from the AD CA..  I am using certificates to authenticate the clients and when logged into to vista as a user, I can manually initiate a VPN session it is successfully bringing up the VPN, authenticating using the certificate and generally working perfectly.  The Vista clients get two certificates via AD, a User certificate and a Machine certificate. 

I logon to a Vista workstation, open up the VPN client and connect to the ASA using certificates, this is seamless and automatic; as soon as I open the client it connects without any user involvement.  The interesting thing to note here (see below)  is that if I delete the User certificate the client can no longer authenticate,even though there is a valid certificate in the Machine certificate store.  When I debug the connection with the line "debug webvpn svc 255" and interface capture, I can see that the client certificate isn't presented to the ASA.  When I re-establish the user certificate - it all works.

Start before logon - SBL - doesn't work at all with certificates like this.  I presume because there is no user certificate available when you try to initiate the connection.  When debugging SBL - the  debugs are identical to the ones I get when I try to connect after deleting the user certificate (as I describe above).  Is the problem because of permissions on the Machine certificate store as suggested in one of the Posts above?

To test this further I have also setup another ASA with a local CA server (self-signed), .  Again, when logged in as the user and manually initiating a connection - I get prompted to enter the one time pass-code,  save and store the certificate, and it works.  When I use SBL - I get the same prompts, store the certificate and it works every time after this. 

I presume that the difference is, when using the ASA as a local server, I get to save the certificate in a store that it can read/write from/to.  With AD issued certificates, because its SBL there is no User certificate available to authenticate.

The question is is there any way to get the client working with certificates issued by AD using SBL?  Should this work?  I suspect the answer may be to get the client using SCEP not AD??

The XML profile has the following settings

true

                true

                false

                Machine

                false

Regards

Dave

0 Helpful

Go to solution
ComputerHabit
Level 1
Level 1
In response to dj1967

‎08-25-2017 07:46 AM

We have this issue as well.  How do you use a Microsoft CA cert and support SBL?
I'm leaning toward a template issue.  Does anyone have info on how the template should be configured?

0 Helpful
Customers Also Viewed These Support Documents