02-10-2019 03:22 PM
Hi All.
Our goal is to ensure the AnyConnect VPN is only able to be used by corporate devices.
Our expectation is that we can use Group Policy (or similar) to push a certificate to all computers that connect to the VPN, and this certificate is validated by the ASA.
We desire the certificate to be non-exportable so that it cant be used on another computer.
We create our internal certificates using XCA (Like OpenSSL) and have an internal CA and intermediate CA already configured.
Using XCA I have created a CA, an Intermediate CA, and a 'client' certificate.
On the ASA I have installed the client cert and the CA's
And on the SSL settings I have configured the outside interface to use this identity certificate
And I have installed the client certificate onto the test computer
Now when I connect using the new VPN Profile I have created, it prompts me for the certificate, and it connects succesfully.
If I select a random certificate, it does not connect. As expected
The problem is such: using windows certificate manager I can export the certificate off the computer without the private key. and this exported (keyless) certificate can then be installed on another computer and still connects
It seems the ASA is not validating that the private key is present in the client computer.
I suspect this is something to do with the Certificate Matching or Certificate Pinning or something in the AnyConnect Client Profile but I cant seem to get it to work.
This guide has been pretty helpful
But it even in this guide it shows screenshots of the client certificate without any private key.
Can someone point me in the right direction for validating the private key on the client? Cheers!
Solved! Go to Solution.
02-10-2019 09:34 PM
02-10-2019 09:34 PM
10-27-2020 05:50 AM
Hi,
I think you were hitting bug CSCvg40155.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg40155
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1
If certificate authentication is used for VPN, the user needs to hold the private key, no excuses.
05-30-2024 08:32 AM
hello, I want to implement cert authentication + AAA. In testing I have found that it works on a laptop with Cert + Private key installed, but it also works with just the cert (no private key). This cannot be correct.
We are using Firepower 3100 running Cisco Adaptive Security Appliance Software Version 9.18(3)56
Can anyone advise?
thank you for any help!
05-30-2024 02:06 PM
@marie-flanagan, yeah, I was able to connect too, although it was a quick test by exporting certificate without private key, removing certificate, installing exported certificate (without private key) and connecting. If you see this behavior by importing certificate without the key to *another* client PC, you need to contact PSIRT by email via psirt@cisco.com and also open TAC case if you have support contract.
05-31-2024 02:30 AM
I'd also like to add that this behavior is unexpected. AnyConnect sends client certificate in both TLS1.2 handshake and within the application protocol. When it is sent in TLS1.2 handshake, Certificate Verify is also sent, which in my understanding requires private key.
Few AnyConnect TCP connections, which constitute tunnel establishment, contain dummy zero-size client Certificate and in this case Certificate Verify is not sent, but in my opinion there should be one with the real client certificate and in this case Certificate Verify must be sent in the same TCP segment or the next one. You can collect capture on ASA and verify.
05-31-2024 06:42 AM
thank you! I've a call logged with TAC so we'll see what they say.
06-03-2024 09:18 AM
What did TAC say?
06-06-2024 03:21 AM
TAC have been asking for info, screen shots, DART, show tech, etc. No answer as of yet!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide