certificate authentication for Cisco VPN client

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2013 01:16 PM
I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2013 02:21 PM
Hi Doug,
If you are tryig to use certificate to authenticate IPsec VPN client, i think this document should give you the required information:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtm
Thanks
Jeet Kumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2013 06:00 PM
The link you sent does not open.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2013 06:02 PM
Sorry,
It was a typo, try this one
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
Thanks
Jeet Kumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2013 04:36 AM
I am running 8.6(1)2 on the ASA. I have checked the licensing and it shows AnyConnect: disabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2013 04:57 AM
Hi Doug ,
You need procure below license for your ASA hardware to support cisco anyconnect VPN client .
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html
HTH
Regards
Santhosh Saravanan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2013 05:08 AM
So it looks like you can get the Cisco AnyConnect essentials license for about $75 for 25 users. If I get this license then I will be able to use the anyconnect client to connect in like I am currently with the vpn client except that it will be with cert so that I can pass pci complience, correct? No more shared secret, right? It looks like I can setup this program to automatically download from the server also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2013 05:45 AM
Hi Doug ,
Hope you are running 5505 ASA hardware on your environment .
Yes can go for procuring Any Connect essential VPN License for 25 users , simultaneously only 25 concurrent user will be allowed to connect with your ASA hardware
AnyConnect Essentials VPN License - ASA 5505 (25 Users) | 1 |
ASA 8.x : VPN Access with the AnyConnect VPN Client Using Self-Signed Certificate Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Configuring AnyConnect VPN Client Connections
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_anyconnect.html#wp1105461
HTH
Regards
Santhosh Saravanan

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2014 05:21 AM
Hi Jeet,
I have same issue and want to continue with vpn client rather than AnyConnect.
I have windows 2012 CA server and can not get certificate template as IPSEC as mentioned in the document.
Do I need to have communication between ASA and CA server ? if yes, please let me know which ports to be opened ?
What will be the FQDN on ASA ?
My CA server is part of AD but ASA does not. In the document, it says
{ Make sure that you have a user account for the ASA (vpn server) with the CA server.}
What will be the username I should use ?
Looking forward to hearing from you soon.
Thanks & Regards
Ahmed...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2015 01:51 PM
Hi Ahmed,
Were you able to make it work ? I have the same issue and am interested if you've found a solution.
Thanks,
Sean
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2015 05:15 AM
After speaking with some Cisco experts the only resolve I found was upgrading to use Anyconnect. I have to say it was well worth the investment. The tool is very easy to use and with AD integration you do not have to worry about giving out passwords that can be reutilized(much more secure).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2015 11:00 AM
Thanks Doug, I'll check out the Anyconnect option.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2013 12:27 AM
Dear Doug ,
What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
