Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
2
Replies

Cisco ASA and FTD AnyConnect with Machine Only Certificate Auth

g_whip
Level 1
Level 1

‎10-25-2021 03:27 PM

Hi, thanks for reading. I'm trying to configure an ASAv and a Firepower 2120 to authenticate machine certificates in addition to our current auth method, which is RADIUS AAA. The normal RADIUS config works great, and has been, but the new test profile that is AAA and certificate I can't seem to get working.

 

I've loaded the Sub-CA certificate in ASDM under Configuration > Remote Access VPN > Certificate Management > CA Certificates. It shows up as ASDM_TrustPoint6, with usage as Signature, and shows Active as Yes. 

 

In the client Profile, I have Certificate Store Override selected so that machine certificates are available. I have temporarily disabled Automatic Certificate Selection, just so that I can manually choose my certificate each time to make sure it gets right right one (although I will be using certificate matching on the Key Usage and Issuer in the future to auto-select for clients).

 

When I connect to the server, I get my normal popup to select my Group. When I choose the test Group with cert auth, I get prompted to select my machine certificate. I select the machine certificate, the one issued by the same Sub-CA certificate I have uploaded to the CA. 

 

I immediately receive the message "Certificate Validation Failure" in a popup. I press OK on that dialogue, and am not allowed to connect of course. I can't figure out why this is, does anyone have any hints on where I should be looking?

Labels:
0 Helpful
2 Replies 2

msegersvard
Level 1
Level 1

‎10-26-2021 01:09 AM

I use certificates often but am not sure what you mean by Sub-CA cert. Also I doubt "signature" is the usage ASA requires from the cert, I'd have to check the documentation on that.

 

When I build machine ca cert authentications I prefer to just export the certificate from windows machine and import it to ASA. That way I can be sure that it is from the correct CA and I don't need to wait for CA admin to export it to me.

Manage computer certificates > Trusted Toor Certification Auth. > Certificates > export the one that has Issued the machine certificate as Base64 cer file.

0 Helpful

g_whip
Level 1
Level 1
In response to msegersvard

‎10-26-2021 07:56 AM

That's actually how I exported the certificate, straight from my machine. A Sub-CA is just a non-root certificate authority. So I have my Certificate Authority, which is always offline and issues certificates to my Enterprise sub-CAs so that they can issue certifificates to computers. That's the standard practice for CA security. So the one I imported is the exact CA that issued my cert.

 

As far as signature usage, I'm also concerned with that piece, but don't know how to change it and can't find any docs on it.

 

 

0 Helpful
Customers Also Viewed These Support Documents