Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2503
Views
0
Helpful
8
Replies

Cisco AnyConnect Display Name

a.amin@csm-compressor.com
Level 1
Level 1

‎10-17-2019 08:30 AM - edited ‎10-17-2019 08:32 AM

Hello There,

 

When I am trying to access cisco anyconnect via Display Name, it gives me a certificate is not trusted error.

Trusted certificate is already installed. but when I try to access by fqdn  "vpn.abc.com" it works without certificate error.

 

Can anyone help me out for this situation?

 

Thanks

Ankit 

Labels:
0 Helpful
8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni

‎10-17-2019 09:07 AM

Hi

When talking about display name you mean a local alias?
Can you explain a bit more please?

If your certificate has been signed/generated for vpn.abc.com and this isn't a wildcard certificate and you try to access using vpnabc (which redirect to an ip or something) it's normal that you're getting certificate not trusted.

That's why i'm asking please to some clarity on your connection process to make sure i can give you the correct answer.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

a.amin@csm-compressor.com
Level 1
Level 1
In response to Francesco Molino

‎10-17-2019 09:21 AM

Thanks for your reply.

 

I have attached image about display name.

 

The certificate we have got from geotrust.

 

when you connect anyconenct very first time with vpn.abc.com, the Anyconnect connection profile downloads on the computer and when you connect next time you can connect through display name. and we got certificate error message.

 

Thank you

Ankit

Preview file
18 KB
0 Helpful

stsargen
Cisco Employee
Cisco Employee
In response to a.amin@csm-compressor.com

‎10-17-2019 10:42 AM

Hi Ankit,

 

Could you post a screenshot of the error you are seeing.  AnyConenct has two possible dialogs that cna show up.  One for untrusted certificate because you don't have the proper chain installed on the client and the other is for a possible mismatch of servername on the identity cert compared to what is in the profile.

 

The entry (IP or FQDN) in the SAN field of your Identity certificate configured on the ASA must match what is in your profile under the "HostAddress" field for the Display Name you are connecting to.  AnyConnect will use the Display Name you entered and match it to the "HostName" field in the profile.

 

<HostEntry>
<HostName>VPN Displayname</HostName>  This is the "Display Name"
<HostAddress>foo.bar.com</HostAddress>  If this value doesn't match the SAN field of you ASA cert then you will get the untrusted message.

 

My guess is that one has the FQDN and the other has the IP address.

 

Hope this helps

Steve S.

 

0 Helpful

a.amin@csm-compressor.com
Level 1
Level 1
In response to stsargen

‎10-18-2019 07:08 AM - edited ‎10-18-2019 07:09 AM

Hello

 

Sorry for late reply.

 

It started working on Laptops without security warning. ( without disabling block connections to untrusted servers on anyconnect client software)

 

Now the problem is, it is still giving me an error on Cell phones and Macbook only. I have attached error image.

If i disabled Block connection to untrusted servers, it works but we don't want to do that.

 

Thanks

Ankit

Preview file
113 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to a.amin@csm-compressor.com

‎10-19-2019 06:22 PM

Can you open the fqdn using your Internet browser and check the certificate. Can you share the certificate to see if it's a valid one with the full chain to be seen as trusted one.

You can also use openssl to view the certificate with the following command:
openssl s_client -connect vpn.xxxx.com:443

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

a.amin@csm-compressor.com
Level 1
Level 1
In response to Francesco Molino

‎10-22-2019 08:29 AM

I can not send you private message so I am sending my main profile here

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="true">true
<AutoReconnectBehavior UserControllable="true">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>true
<UserEnforcement>SameUserOnly</UserEnforcement>
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>CSM Edmonton</HostName>
<HostAddress>vpn.csm-compressor.com</HostAddress>
<UserGroup>Staff/</UserGroup>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to a.amin@csm-compressor.com

‎10-23-2019 07:07 PM

I replied to your PM with an xml file to test and when it'll work we'll post here the solution that will help others

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

a.amin@csm-compressor.com
Level 1
Level 1
In response to Francesco Molino

‎10-23-2019 08:38 PM

Hello Francesco,

 

Sorry I was busy with some other stuff. I will try ASAP and will you let you know.

 

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents