Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6386
Views
0
Helpful
5
Replies

Cisco AnyConnect Client - Specify Cert Store in Profile

Go to solution
Jason Nash
Level 1
Level 1

‎05-05-2011 01:08 AM - edited ‎02-21-2020 05:19 PM

Hi All,

Running Cisco AnyConnect Client version 2.5.2019 with Cisco ASA 5510 version 8.4(1)

I cannot seem to get the Certificate Store profile option to work (see attached image). I am setting this to user, when this is set it correctly propagates to the client as you can see it in the configuration file on the client machine but it does not seem to take effect.

When a user is logged in who has admin rights, and so access to both the local machine and user stores, it incorrectly takes a certificate from the local machine store. I know there is a valid cert in the user store for these users as if I delete the local machine cert it then takes the user cert.

No problem for users without admin rights as they don't have access to the local machine store.

Anyone have any ideas why this does not work?

Jason

Labels:
Preview file
1541 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Jason Nash

‎05-18-2011 10:40 AM

Hi Jason

it sounds as if the ASA is actually still pushing the old profile to the client.

From the CLI, check:

dir cache:/stc/profiles

more cache:/stc/profiles/

I guess that this will show you the old profile.

How did you modify it exactly? Using the profile editor in ASDM? Did you push "apply" afterwards, did you get any errors?

In any case, use "more disk0:" to verify that the profile on flash is correct (i.e. that it does have the serverlist), then force the ASA to re-load that file using:

conf t

webvpn
svc profiles disk0:/

Then check "more cache:/stc/profiles/" again to verify it it took it.

hth

Herbert

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎05-12-2011 04:32 AM

Jason,

if you still need help with this: verify in the event log whether or not it is actually using the profile, my guess is it is not (it will say something like "no profile available for host ).

When you connect, the client will search all of its profiles (you can have more than one in your profiles directory) for one that has a host entry that matches the name/hostname/ip address that you are trying to connect to. If none of the profiles has a matching host entry, it will use default settings (which for cert store, I believe is "all" - you'll see that in the eventlog as well).

So my guess (obviously without seeing the logs it's just a guess) is that you should go to the "Server List" page in the profile editor and add an entry there.

hth

Herbert

0 Helpful

Go to solution
Jason Nash
Level 1
Level 1
In response to Herbert Baerten

‎05-12-2011 06:15 AM

Sounds like a plan, I don't have anything in the 'Server List Entry' page so this sounds like it could be the cause. I will give this a go and come back to you.

Thanks Herbert.

0 Helpful

Go to solution
Jason Nash
Level 1
Level 1

‎05-18-2011 09:16 AM

Hi Herbert,

You are quite right the event log does indicate that the profile is not found. I was also missing the entry in the server list. I have since gone in and added this but I still cannot seem to get this working. When I export the profile from ASDM I can see the server host entries but in the profile which is downloaded to the client this are not there,

I know the most recent profile is going down to the client as if I delete it is recreated. The whole server list section as below is missing but it does show on the exported version.

           

                  xxxx.yyy.org.uk

                  xxxx.yyy.org.uk

           

     

Any ideas?

Jason

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Jason Nash

‎05-18-2011 10:40 AM

Hi Jason

it sounds as if the ASA is actually still pushing the old profile to the client.

From the CLI, check:

dir cache:/stc/profiles

more cache:/stc/profiles/

I guess that this will show you the old profile.

How did you modify it exactly? Using the profile editor in ASDM? Did you push "apply" afterwards, did you get any errors?

In any case, use "more disk0:" to verify that the profile on flash is correct (i.e. that it does have the serverlist), then force the ASA to re-load that file using:

conf t

webvpn
svc profiles disk0:/

Then check "more cache:/stc/profiles/" again to verify it it took it.

hth

Herbert

0 Helpful

Go to solution
Jason Nash
Level 1
Level 1
In response to Herbert Baerten

‎05-19-2011 08:42 AM

Thanks Herbert! That did the trick. I amended the profile in ASDM and I am pretty sure I clicked apply, I don't recall any errors. It seemed to be incorrect in the cache but fine on flash, the commands you provided resolved the issue. It is now picking up the correct certificate.

Thanks again

Jason

0 Helpful
Customers Also Viewed These Support Documents