Re: Cisco ASA Anyconnect SSL VPN Multiple Certificate

CSCO10675262_2 · ‎05-07-2013

Hi,

I would like to check on how it may be possible to perform ssl vpn using Cisco anyconnect for clients with multiple certificates installed. The setup is as follows:

ASA1:

asa1.abc.xyz.com (FQDN)

ASA2:

asa2.def.xyz.com (FQDN)

A user has the follow certificates insalled in the certificate personal store (Windows):

1. A personal Certificate from user1.abc.xyz.com

2. Another personal certificate from User1.def.xyz.com

When the client PC connects to ASA1; I was wondering how to ensure that it pick the correct user certificate for ssl vpn authentication using Anyconnect client? I have tried a few times to connect to ASA1 and the anyconnect clients seems to pick the incorrect certificate (User1.def.xyz.com) instead of the correct one. Disabling the automatic certificate selection seems to resolve the vpn connection issue; however I was wondering if there may be a easier/seamless approach instead of asking end users to select the certificate?

Any suggestions is appreciated.

Thanks.

Varinder Singh · ‎05-07-2013

Hi,

You can implement this by Cerifiacte matching in XML profile. Here is what you a have to do.

Create xml prrofile on ASA1 which connects to tunnel group having certificate authentication.

In XML profile select matching criteria to select the ASA1 certiificate which can be on casis of CN,company etc.

Once the user connect to URL which is also defined in server list in XML profile. It will pick up correct certificate from store.

You can find more information from following link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1216866

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

CSCO10675262_2 · ‎05-07-2013

Hi Varinder,

Appreciate the update. Not too sure if my understanding on the profile may be correct; the profile would only be downloaded to the client upon successful vpn connection? If so, I was wondering on how I may get the clients to download the profile setup on the ASA so that it may connect correctly? Both the ASA makes use of certificate authentication with certiificate mapping setup(there are multiple group policies on the asa).

The scenario is as follows:

1. When the client first connect either ASA1/ASA2; it will need to present the correct certificiate for correct certificate mapping performed by the ASA

2. If an incorrect certificate is presented to the ASA; the vpn connection would not be established.

3. Each ASA has both internal and external CAs setup for it; thus the reason for the certificate mapping on the ASA.

4. If a client has a single certificate in its personal store; this is not an issue as the vpn may be established successfully. However if a client has 2 or more certificates in its personal store; not too sure on how to ensure the client select the correct certificate for connection to ASA 1 as well as ASA2 without having the end users to select the certificate manually?

Thanks.

Any suggestions is appreciated.

Jorn Halsen Lukassen · ‎11-05-2014

Hi.

Were you able to find a fix for this ?

We're facing the exact same issue, and so far we haven't been able to find a workaround.