cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5760
Views
0
Helpful
11
Replies

Cert based auth with AnyConnect

rate
Beginner
Beginner

Hi,

We recently purchased a certificate for our ASA to use on the outside interface, when connecting in order to get AnyConnect installed or simply use webvpn. I added it as an identity cert and the CA cert as well, and then made it the default cert for the outside interface. This all worked just fine.

Now, we want to use cert-based authentication for our AnyConnect (along with RADIUS which is already working). We have an internal Microsoft cert server, that we would like to use for this purpose. Question is... how can we use the public purchased cert on the outside interface for webvpn and AnyConnect installation and at the same time use the "internal" cert for authentication of VPN client? Is it even possible?

I've already created an internal cert and installed it on the asa along with the CA cert of our internal server. We are running version 8.2(2).

I hope someone, with a little more knowledge about this than me, can assist

Thanks in advance,

Rasmus

1 Accepted Solution

Accepted Solutions

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

View solution in original post

11 Replies 11

rate
Beginner
Beginner

Just found this link (which is for ver. 8.2):

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987

Is this what I need to do? Or is it intended for something else entirely?

/Rasmus

I just tried the above mentioned setting, and it works when using the AnyConnect client.

But when visiting the https address of the ASA, to get the AnyConnect installed, I get a certificate auth error when logging on. It stille uses the public purchased cert here which is what I want it to, but the auth seems to try and use the authentication cert set up. This would be ok, but the problem is when opening the web site (asa) IE prompts me to select a certificate for authentication, but my computer cert (which I choose with the anyconnect client) isn't available?

Any help much appreciated!

/Rasmus

No one?

Rasmus,

I faced something similar before. Fault was on MS CA side at that time.Let's see now.

Can you please check from multiple browseres IE and firefox at minimum.

First of all do you see the correct cert in browsers' stores?

Marcin