cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6566
Views
0
Helpful
11
Replies

Cert based auth with AnyConnect

rate
Level 1
Level 1

Hi,

We recently purchased a certificate for our ASA to use on the outside interface, when connecting in order to get AnyConnect installed or simply use webvpn. I added it as an identity cert and the CA cert as well, and then made it the default cert for the outside interface. This all worked just fine.

Now, we want to use cert-based authentication for our AnyConnect (along with RADIUS which is already working). We have an internal Microsoft cert server, that we would like to use for this purpose. Question is... how can we use the public purchased cert on the outside interface for webvpn and AnyConnect installation and at the same time use the "internal" cert for authentication of VPN client? Is it even possible?

I've already created an internal cert and installed it on the asa along with the CA cert of our internal server. We are running version 8.2(2).

I hope someone, with a little more knowledge about this than me, can assist

Thanks in advance,

Rasmus

1 Accepted Solution

Accepted Solutions

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

View solution in original post

11 Replies 11

rate
Level 1
Level 1

Just found this link (which is for ver. 8.2):

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987

Is this what I need to do? Or is it intended for something else entirely?

/Rasmus

I just tried the above mentioned setting, and it works when using the AnyConnect client.

But when visiting the https address of the ASA, to get the AnyConnect installed, I get a certificate auth error when logging on. It stille uses the public purchased cert here which is what I want it to, but the auth seems to try and use the authentication cert set up. This would be ok, but the problem is when opening the web site (asa) IE prompts me to select a certificate for authentication, but my computer cert (which I choose with the anyconnect client) isn't available?

Any help much appreciated!

/Rasmus

No one?

Rasmus,

I faced something similar before. Fault was on MS CA side at that time.Let's see now.

Can you please check from multiple browseres IE and firefox at minimum.

First of all do you see the correct cert in browsers' stores?

Marcin

Hello Marcin - thanks for your reply.

I checked Firefox and IE7 and IE8 - all the same

If I open the cert store from IE I can only see user certificate store. Since the used cert is a computer cert, it doesn't show up.

/Rasmus

Rasmus,

By any chance is this same deployment we used in previous thread, SBL + proxy + I guess cert auth?

Can you also install this cert into user store and test? I'm not a windows guy so I don't know if you can make IE read other cert stores.

Marcin

Hi Marcin,

Exactly the same

I already tried that. I was able to select the certificate then, but the authentication would stille fail for some reason. If I clicked cancel and the cert selection pop-up it worked. But only with the computer cert added to the user cert store. If it wasn't there, I could not authenticate whether I clicked OK or Cancel.

/Rasmus

Rasmus,

Long storry short ... which cert do you have in "ssl ..."

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1514061

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511555


If I remember you were already running 8.2.2

A note from the case I mentioned: MS CA has certificate templates and it seems to be messing up with some part of PKI on ASA, you can probably get this working with IOS CA without problems

Can you get deb cry ca mess deb cry ca trans (100 level) during connection attempt?

Marcin

Hi Marcin,

In the "SSL TrustPoint..." command I've got the external bought certificate.

The "SSL certificate-auth..." command is not present in my config. I've got this though:

crypto ca certificate map NAME 10

webvpn

  certificate-group-map NAME 10 PROFILE

About the debug command. Do you want this output when connecting with the AnyConnect client, or when accessing the webpage where the error occours? Also, should I click cancel in the cert selection box (if you want the browser-login debug) og click "ok" without a cert selected?

Thanks,

Rasmus

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

Hi Marcin,

First of all thanks for all your assistance!

The more I've looked into this, the more it appears to me that it is an internet browser related problem. IE simply doesn't look in the computer certificates store in Windows - only the user store.

I've created a seperate thread in a Windows-forum, and hopefully I will get some answers there. Meanwhile, if anyone else run into this problem, please reply to this thread.

I will give you full ratings though Marcin, because of your assistance. I will also create another thread in here regarding CRL. This is an ASA issue - not an Internet Explorer thing, so I hope you will take a look at the thread at some point I simply can't get it working

Thanks again,

Rasmus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: