06-22-2010 10:36 PM - edited 02-21-2020 04:42 PM
Hi,
We recently purchased a certificate for our ASA to use on the outside interface, when connecting in order to get AnyConnect installed or simply use webvpn. I added it as an identity cert and the CA cert as well, and then made it the default cert for the outside interface. This all worked just fine.
Now, we want to use cert-based authentication for our AnyConnect (along with RADIUS which is already working). We have an internal Microsoft cert server, that we would like to use for this purpose. Question is... how can we use the public purchased cert on the outside interface for webvpn and AnyConnect installation and at the same time use the "internal" cert for authentication of VPN client? Is it even possible?
I've already created an internal cert and installed it on the asa along with the CA cert of our internal server. We are running version 8.2(2).
I hope someone, with a little more knowledge about this than me, can assist
Thanks in advance,
Rasmus
Solved! Go to Solution.
06-28-2010 02:50 AM
Rasmus,
Debugging for failed attempt please, however you normally try to do this.
Can you try with and without ssl certificate-auth ... ?
Marcin
06-23-2010 12:56 AM
Just found this link (which is for ver. 8.2):
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987
Is this what I need to do? Or is it intended for something else entirely?
/Rasmus
06-23-2010 01:32 AM
I just tried the above mentioned setting, and it works when using the AnyConnect client.
But when visiting the https address of the ASA, to get the AnyConnect installed, I get a certificate auth error when logging on. It stille uses the public purchased cert here which is what I want it to, but the auth seems to try and use the authentication cert set up. This would be ok, but the problem is when opening the web site (asa) IE prompts me to select a certificate for authentication, but my computer cert (which I choose with the anyconnect client) isn't available?
Any help much appreciated!
/Rasmus
06-24-2010 11:58 PM
No one?
06-25-2010 01:24 AM
Rasmus,
I faced something similar before. Fault was on MS CA side at that time.Let's see now.
Can you please check from multiple browseres IE and firefox at minimum.
First of all do you see the correct cert in browsers' stores?
Marcin
06-25-2010 01:52 AM
Hello Marcin - thanks for your reply.
I checked Firefox and IE7 and IE8 - all the same
If I open the cert store from IE I can only see user certificate store. Since the used cert is a computer cert, it doesn't show up.
/Rasmus
06-25-2010 01:59 AM
Rasmus,
By any chance is this same deployment we used in previous thread, SBL + proxy + I guess cert auth?
Can you also install this cert into user store and test? I'm not a windows guy so I don't know if you can make IE read other cert stores.
Marcin
06-25-2010 02:26 AM
Hi Marcin,
Exactly the same
I already tried that. I was able to select the certificate then, but the authentication would stille fail for some reason. If I clicked cancel and the cert selection pop-up it worked. But only with the computer cert added to the user cert store. If it wasn't there, I could not authenticate whether I clicked OK or Cancel.
/Rasmus
06-25-2010 04:40 AM
Rasmus,
Long storry short ... which cert do you have in "ssl ..."
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1514061
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511555
If I remember you were already running 8.2.2
A note from the case I mentioned: MS CA has certificate templates and it seems to be messing up with some part of PKI on ASA, you can probably get this working with IOS CA without problems
Can you get deb cry ca mess deb cry ca trans (100 level) during connection attempt?
Marcin
06-28-2010 01:31 AM
Hi Marcin,
In the "SSL TrustPoint..." command I've got the external bought certificate.
The "SSL certificate-auth..." command is not present in my config. I've got this though:
crypto ca certificate map NAME 10
webvpn
certificate-group-map NAME 10 PROFILE
About the debug command. Do you want this output when connecting with the AnyConnect client, or when accessing the webpage where the error occours? Also, should I click cancel in the cert selection box (if you want the browser-login debug) og click "ok" without a cert selected?
Thanks,
Rasmus
06-28-2010 02:50 AM
Rasmus,
Debugging for failed attempt please, however you normally try to do this.
Can you try with and without ssl certificate-auth ... ?
Marcin
06-28-2010 08:01 AM
Hi Marcin,
First of all thanks for all your assistance!
The more I've looked into this, the more it appears to me that it is an internet browser related problem. IE simply doesn't look in the computer certificates store in Windows - only the user store.
I've created a seperate thread in a Windows-forum, and hopefully I will get some answers there. Meanwhile, if anyone else run into this problem, please reply to this thread.
I will give you full ratings though Marcin, because of your assistance. I will also create another thread in here regarding CRL. This is an ASA issue - not an Internet Explorer thing, so I hope you will take a look at the thread at some point I simply can't get it working
Thanks again,
Rasmus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: