Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27129
Views
10
Helpful
12
Replies

certificate authentication for Cisco VPN client

Doug Charboneau
Level 1
Level 1

‎09-04-2013 01:16 PM

I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.

I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).

Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

Labels:
0 Helpful
12 Replies 12

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-04-2013 02:21 PM

Hi Doug,

If you are tryig to use certificate to authenticate IPsec VPN client, i think this document should give you the required information:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtm

Thanks

Jeet Kumar

Doug Charboneau
Level 1
Level 1
In response to Jeet Kumar

‎09-04-2013 06:00 PM

The link you sent does not open.

0 Helpful

Doug Charboneau
Level 1
Level 1
In response to Jeet Kumar

‎09-05-2013 04:36 AM

I am running 8.6(1)2 on the ASA. I have checked the licensing and it shows AnyConnect: disabled.

0 Helpful

sansarav720e
Level 1
Level 1
In response to Doug Charboneau

‎09-05-2013 04:57 AM

Hi Doug ,

              You need procure below license for your ASA hardware to support cisco anyconnect VPN client .

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html

AnyConnect Essentials

• All ASA models (Cisco ASA 5505 to ASA 5580)

• Cisco ASA Software Release 8.2 and later

• Cisco AnyConnect Secure Mobility client connectivity without clientless SSL VPN and Cisco Secure Desktop capabilities

• Cisco AnyConnect Secure Mobility capabilities that may be used in conjunction with a licensed Cisco IronPort™ Web Security Appliance

• Full tunneling access to enterprise applications

• ASA-AC-E-55XX=

HTH

Regards
Santhosh Saravanan

HTH Regards Santhosh Saravanan
0 Helpful

Doug Charboneau
Level 1
Level 1
In response to Doug Charboneau

‎09-05-2013 05:08 AM

So it looks like you can get the Cisco AnyConnect essentials license for about $75 for 25 users. If I get this license then I will be able to use the anyconnect client to connect in like I am currently with the vpn client except that it will be with cert so that I can pass pci complience, correct? No more shared secret, right? It looks like I can setup this program to automatically download from the server also.

0 Helpful

sansarav720e
Level 1
Level 1
In response to Doug Charboneau

‎09-05-2013 05:45 AM

Hi Doug ,

            Hope you are running 5505 ASA hardware on your environment .

Yes can go for procuring Any Connect essential VPN License for 25 users , simultaneously only 25 concurrent user will be allowed to connect with your ASA hardware

AnyConnect Essentials VPN License - ASA 5505 (25 Users)1

ASA 8.x : VPN Access with the AnyConnect VPN Client Using Self-Signed Certificate Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Configuring AnyConnect VPN Client Connections

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_anyconnect.html#wp1105461

HTH

Regards
Santhosh Saravanan

HTH Regards Santhosh Saravanan
0 Helpful

ahmed.gadi
Level 1
Level 1
In response to Jeet Kumar

‎09-23-2014 05:21 AM

Hi Jeet,

             I have same issue and want to continue with vpn client rather than AnyConnect.

I have windows 2012 CA server and can not get certificate template as IPSEC as mentioned in the document.

Do I need to have communication between ASA and CA server ? if yes, please let me know which ports to be opened ?

What will be the FQDN on ASA ?

My CA server is part of AD but ASA does not. In the document, it says 

{ Make sure that you have a user account for the ASA (vpn server) with the CA server.}

What will be the username I should use ?

Looking forward to hearing from you soon.

 

Thanks & Regards

Ahmed...

 

0 Helpful

Sean Kim
Level 1
Level 1
In response to ahmed.gadi

‎02-03-2015 01:51 PM

Hi Ahmed,

Were you able to make it work ? I have the same issue and am interested if you've found a solution.

Thanks,

Sean

0 Helpful

Doug Charboneau
Level 1
Level 1
In response to Sean Kim

‎02-04-2015 05:15 AM

After speaking with some Cisco experts the only resolve I found was upgrading to use Anyconnect. I have to say it was well worth the investment. The tool is very easy to use and with AD integration you do not have to worry about giving out passwords that can be reutilized(much more secure).

0 Helpful

Sean Kim
Level 1
Level 1
In response to Doug Charboneau

‎02-05-2015 11:00 AM

Thanks Doug, I'll check out the Anyconnect option.

 

 

0 Helpful

sansarav720e
Level 1
Level 1

‎09-05-2013 12:27 AM

Dear Doug ,

          What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .

With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware

1)  What is the AnyConnect Essentials License?

The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.

You can see your limits for the various licensing by issuing the 'show version' command on your ASA.

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150      

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

Security Contexts              : 2        

GTP/GPRS                       : Disabled 

SSL VPN Peers                  : 2        

Total VPN Peers                : 750      

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150      

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

Security Contexts              : 2        

GTP/GPRS                       : Disabled 

SSL VPN Peers                  : 2        

Total VPN Peers                : 750      

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          :  Enabled

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled

Any connect VPN Configuration .

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

HTH Regards Santhosh Saravanan
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents