02-10-2019 03:22 PM
Hi All.
Our goal is to ensure the AnyConnect VPN is only able to be used by corporate devices.
Our expectation is that we can use Group Policy (or similar) to push a certificate to all computers that connect to the VPN, and this certificate is validated by the ASA.
We desire the certificate to be non-exportable so that it cant be used on another computer.
We create our internal certificates using XCA (Like OpenSSL) and have an internal CA and intermediate CA already configured.
Using XCA I have created a CA, an Intermediate CA, and a 'client' certificate.
On the ASA I have installed the client cert and the CA's
And on the SSL settings I have configured the outside interface to use this identity certificate
And I have installed the client certificate onto the test computer
Now when I connect using the new VPN Profile I have created, it prompts me for the certificate, and it connects succesfully.
If I select a random certificate, it does not connect. As expected
The problem is such: using windows certificate manager I can export the certificate off the computer without the private key. and this exported (keyless) certificate can then be installed on another computer and still connects
It seems the ASA is not validating that the private key is present in the client computer.
I suspect this is something to do with the Certificate Matching or Certificate Pinning or something in the AnyConnect Client Profile but I cant seem to get it to work.
This guide has been pretty helpful
But it even in this guide it shows screenshots of the client certificate without any private key.
Can someone point me in the right direction for validating the private key on the client? Cheers!
Solved! Go to Solution.
02-10-2019 09:34 PM
02-10-2019 09:34 PM
10-27-2020 05:50 AM
Hi,
I think you were hitting bug CSCvg40155.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg40155
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1
If certificate authentication is used for VPN, the user needs to hold the private key, no excuses.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: