Solved: Authenticating AnyConnect VPN client using certificates

Shaun Michelson · ‎09-20-2010

Guys, I'm trying to configure my ASA5505 to authenticate AnyConnect VPN clients by using certificates. I have 'Certificates' set as my authentication method in my AnyConnect Connection Profile (see attached screenshot), but I keep getting "Certificate Validation Failure" whenever I try to connect. The certificate I want to use is a Computer certificate issued from my Enterprise Root CA (Windows Server 2008 running Active Directory Certificate Services). Certificate screen shot is attached. I've added the Root certificate on the ASA, and I've tried all manner of combinations using Certificate Matching in the AnyConnect Client Profile. Every attempt has failed, and I'm having no luck finding documentation on how to procede. Any help would be greatly appreciated!

Craig Lorentzen · ‎10-05-2010

Hello Shaun,

The problem you are describing, not able to authenticate via certificate through Microsoft Internet Explorer, is because of the fact that the certificate is in the Machine store. You would want to confirm with Microsoft but, it is my understanding that Microsoft Internet Explorer only users the User Store, as such the certificate is not available to be presented to the ASA through the web-browser.

-Craig

View solution in original post

slawford · ‎09-23-2010

Hi Shaun,

What broswer are you using to connect with, and are you being prompted to select the certificate you want to use?

Regards,

Steve.

Shaun Michelson · ‎09-24-2010

Hey Steve, using IE8 and I'm not being prompted to choose a certificate.

slawford · ‎09-24-2010

Thanks Shaun,

Have you tried connecting with Firefox? If so, do you see the same behaviour?

Please also note that IE8 is only supported from ASA version 8.3.1 and above (http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp160950).

Regards,

Steve.

Shaun Michelson · ‎09-27-2010

Thanks for the info on IE8 support. We're using ASA version 8.2.2, so that could be an issue. Tried connecting with Firefox v3.6.10, and am not being prompted to choose a certificate.

Diego Armando Cambronero Arias · ‎09-27-2010

COuld you add the show run?

Shaun Michelson · ‎09-28-2010

Added the (scrubbed) running config in the attachments.

Bel Marsad · ‎10-01-2010

Hi,

I Have exact the same issus testing anyconnect 2.5 with ASA 8.2.2.

I have machine certificate issued by our internal CA MS2003, the ASA WAN interface there is a SSL certificate issued by Verisign CA.

each time wanted to connect from a XP client with even firefox or IE 7.0 there is a error message. authentication failure..

You mentionne on the top that you enable root certificate on the ASA? could you please let know about this?

I dont find Cisco doc to enable anyconnect client authentication by certificate..

Thanks for your help

Shaun Michelson · ‎10-04-2010

Bel,

To install my Enterprise Root CA certificate, I first browse to http://servername/certserv within my network (where servername is the name of your Enterprise Root CA) and click on "Download a CA certificate, certificate chain, or CRL". (You need to have installed the Certification Authority Web Enrollment service on your Enterprise Root CA server before this works). Once I've downloaded the CA certificate, on the ASA I go to Configuration --> Remote Access VPN --> Certificate Management --> CA Certificates, then click on "Add" and browse to my Desktop where I've saved the certificate. Hope this helps.

Bel Marsad · ‎10-04-2010

Hello,

Thanks for your answer, I downloaded our CA certificate on DER format:

Encoding method:

This Format--DER

Base 64

Install CA certificate

This one----Download CA certificate

Download CA certificate chain

Download latest base CRL

Download latest delta CRL

And installed to my ASA.

And now how can I direct my user profiles to validate this certificate??

Thanks

Shaun Michelson · ‎10-04-2010

Ha...that's what I'm trying to figure out through this forum.

Bel Marsad · ‎10-04-2010

Okais, now we have to wait to have

help

Craig Lorentzen · ‎10-04-2010

Hello Shaun,

Since you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine. By Default it is set to All, however, most users do not have the rights fort the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either.

During a connection attempt you would want to monitor the

debug crypto ca 255

To ensure that the ASA is in fact receiving a certificate for authentication. Use terminal monitor to see the debugs in your SSH Session.

You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate.

You could also try installing the certificate in the User Store and see if that makes a difference.

I hope that this helps,
Craig

Bel Marsad · ‎10-05-2010

Hello Graig,

I have configured the anyconnect profile to use client certif.:

true
        true
        false
        User
        true

now using web interface i have popup to choice my certificate (using ie7) choosing the certif. I am able to established VPN connection by anyconnect client, but when running the client it tell me that "your client certificate will be used for authentication" but clicking to connect button there is error message "Certificate validation failure) ??? ???

Thanks

Belmar

Bel Marsad · ‎10-05-2010

Sorry I forgot to mention that during the attempt from anyconnect GUI there is nothing on the ASA with the debug crypto ca 255

and on the windows event log there is not entry for fonction getNextClientCert.??

Thanks

Belmar