Cisco 1010 FTD FDM RAVPN Certificate Based Authentication Config

TimReedSent · ‎05-10-2022

Hi all,

First time posting here and fairly new to the configuration of Cisco kit! Sorry if anything I ask here is completely obvious, however, I am really struggling to get this working!

We have recently bought a Cisco FirePOWER 1010 and I would like to configure certificate based authentication for the RA VPN on the device (I have all the licences required for this and can authenticate using the built in local DB - I would like to set up AAA & Certificate authentication). We have an internal CA set up using EasyRSA, so we have a CA certificate and can use it to sign other certificates. I will be using FDM to manage the device.

Looking at the documentation, I found it very confusing and wasn't sure the process required to set this up. I was going to try to install the CA certificate as a Trusted CA Certificate within FDM. Is this correct? Following this, how do I use a certificate signed by that to authenticate through AnyConnect?

If I am incorrect here, would anyone be able to provide instructions regarding the configuration of this using FDM?

Thank you in advance for any help you can provide.

balaji.bandi · ‎05-10-2022

check below guide :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TimReedSent · ‎05-10-2022

Hi there,

Thank you for providing the above URLs, however, I had configured the system as discussed in the second URL. I have imported our CA certificate as a "Trusted CA Certificate" and imported a certificate signed by that into my user personal certificate store. When I connect to the Anyconnect VPN using the client and select the connection profile, an error message stating "Certificate Validation Failure" is presented. In the log for the client I can see the message "No valid certificates available for authentication." despite having the signed certificate in both User and Computer "Personal" stores.

Do you know if the CA certificate or the signed certificate need specific properties? Any ideas on how I can configure this? Sorry if the answer is very obvious, as stated above I am very new to Cisco kit!

Rob Ingram · ‎05-11-2022

@TimReedSent you need to create an Identity Certificate, which is signed by the Trusted CA certificate (root). You then reference this Identity Certificate in the RAVPN global configuration.

TimReedSent · ‎05-11-2022

Hi Rob,

Thank you for responding to this and for your help. Unfortunately, I am still confused and unable to get the VPN working!

I have the following configured/created:

CA Certificate created using EasyRSA.
Client certificate, which has been created and signed by the above CA certificate. This certificate has full subject parameters (CN/OU/E etc)
External domain certificate (remote.ourdomain.com), which has been generated by a third party CA for our externally facing VPN service

I have installed the CA certificate as a Trusted CA Certificate through the FDM interface. I have installed the client certificate on the laptop I am testing this from in the user's "Personal" certificate store. Also, I have installed the CA certificate as a Trusted Root CA on the laptop. On the connection profile in FDM, I have client certificate authentication configured with the username mapping configured to CN and E. I have also configured the external domain certificate in the "Certificate of Device Identity" so that users do not receive a certificate warning on accessing the web service. Should this be configured as something different?

Am I missing something in the above configuration? Sorry if I have misunderstood anything in your response!

Thanks in advance for any help you can give!

SinghRaminder · ‎05-11-2022

As Rob mentioned, you are missing Identity Certificate.

Consider this:

1. you have CA cert on FDM : Good

2. Client has the Cert signed by same CA : Good

3. FTD has the external domain Certificate used by URL to access it over internet : Good

4. Do you have the internal CA signed Identity Ceritificate for the FTD, like you did for CLient as that is the ceritifcate presented by FTD and client for handshake and authentication, I am assuming you are missing that cert, You need to enroll your FTD to your internal CA and import the cert and select it under RAVPN

Check and reply

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

TimReedSent · ‎05-12-2022

Hi all,

Thanks for messaging regarding this and sorry for the delay in coming back.

I found my issue in the end! When setting up the Trusted CA Certificate I had not selected anything in the "Validation Usage for Special Services" option. Had to set this to "SSL Client" as that is the option to use the CA certificate to validate incoming RA VPN client certificates!!!! So much stress for such a simple thing!

Thank you again everyone for all your suggestions!