Solved: Re: Cisco ASA Certificates for AnyConnect

Matthew Martin · ‎11-02-2018

Hello All,

Sorry ahead of time as Certs are not really my forte...

We are using the Cisco AnyConnect client for VPN Access. We also use Cisco ISE along with the ASA for VPN Auth. The AnyConnect Connection Profile is using the "Both" option for Authentication Method (*i.e. AAA and Certificate).

We have 2 ASA pairs. One Primary ASA pair and another pair located in our DR location for failover in case the primary site is down.

Now, I am able to login to VPN in our primary site without issue, so I assume the client PC's certificates are fine.

But, when I attempt to login to the DR location's VPN (*which was working sometime ago) I get a Certificate error. The first thing I get when I select the Failover VPN from the AnyConnect client is a pop-up saying "Security Warning: Untrusted Server Certificate! AnyConnect cannot verify server ..... Certificate has an invalid date". So I click the "Connect Anyway" button and in the AnyConnect window I see: "No valid certificates available for authentication" and then that message in AnyConnect changes to "Certificate validation failure".

However, if I try to login to the Primary ASA VPN, which has pretty much identical setup as the Failover one, I can login without issue on the same PC.

Does this mean that a Cert on the Failover ASA is invalid/wrong? Which certs on the ASA does this point to?

Any help would be greatly appreciated!

Thanks in Advance,

Matt

David Castro F. · ‎11-04-2018

Hello Matt,

I hope you are doing great,

Actually you dont need to get the cert signed since it is already signed, what I would recommend you is to export the PKCS12 format from the primary ASA and open the Failover ASA and I guess that the Trustpoint3 is the CSR created for it, right there you need to install the SSL certificate. The steps are really easy if using ASDM you need to go to "Certificate management-Identity certs, open the "Trustpoint3" and install there the cert". After that you need to place the cert as:

- ssl trust-point ASDM_Truspoint_3 outside

This way the cert will be used outside same as the primary ASA, below a links with the steps:

https://www.sslsupportdesk.com/ssl-installation-instructions-for-cisco-asa-5510/

Then for the certificate authentication, make sure that the failover ASA has the CA certificate from the PKI CA Server, same as below image:

-

So if a user has an identity cert from the CA server and the ASA has it too, the ASA will validate the user. Below a link for this cert based authentication:

- https://community.cisco.com/t5/security-blogs/anyconnect-certificate-based-authentication/ba-p/3105546

Keep us posted,

Please qualify all of the helpful answers,

David Castro,

View solution in original post

Rahul Govindan · ‎11-02-2018

So the certs on the Failover ASA are definitely incorrect. Do a "show run ssl" to see what ssl trustpoint is bound to the outside/WAN interface of the Failover Firewall. You may have the wrong certificate bound to the outside.

Second issue is where client cert authentication is failing. If I recall my Anyconnect concepts correctly, the client uses the ASA server certificate as one of the criterion for choosing the right client certificate to send as a part of the SSL handshake, i.e; if you do not have explicit client certificate matching rules set through the client xml profile. So again, this might stem from issue#1, where the Failover ASA is sending the wrong cert as part of the handshake.

Matthew Martin · ‎11-02-2018

Hey Rahul, thanks for the reply.

From Failover ASA:

# show run ssl 
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl trust-point ASDM_TrustPoint2 outside

From Primary ASA:

# show run ssl
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_TrustPoint3 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip

I think the issue might be because of a DigiCert that we recently purchased. We had a Network Security contractor in recently and part of what he did when he was here was to put the DigiCert that we Purchased on ISE and I guess he put it on the Primary ASA as well. But, he didn't put it on the Failover ASA.

Do you think that's the problem? I thought the Cert was only being installed for internal access to the ASA and also for our ISE Guest Portal. But, I guess not...

If what I'll need to do is get the DigiCert on the Failover ASA, then I'll probably have to wait until Monday, because I don't have access to that Cert at the moment, and I assume I'll need to get it signed for that particular server. Is that correct?

Thanks,

Matt

David Castro F. · ‎11-04-2018

Hello Matt,

I hope you are doing great,

Actually you dont need to get the cert signed since it is already signed, what I would recommend you is to export the PKCS12 format from the primary ASA and open the Failover ASA and I guess that the Trustpoint3 is the CSR created for it, right there you need to install the SSL certificate. The steps are really easy if using ASDM you need to go to "Certificate management-Identity certs, open the "Trustpoint3" and install there the cert". After that you need to place the cert as:

- ssl trust-point ASDM_Truspoint_3 outside

This way the cert will be used outside same as the primary ASA, below a links with the steps:

https://www.sslsupportdesk.com/ssl-installation-instructions-for-cisco-asa-5510/

Then for the certificate authentication, make sure that the failover ASA has the CA certificate from the PKI CA Server, same as below image:

-

So if a user has an identity cert from the CA server and the ASA has it too, the ASA will validate the user. Below a link for this cert based authentication:

- https://community.cisco.com/t5/security-blogs/anyconnect-certificate-based-authentication/ba-p/3105546

Keep us posted,

Please qualify all of the helpful answers,

David Castro,

Matthew Martin · ‎11-05-2018

Hey David, thanks for the reply, much appreciated.

Identity Certificate: So I need to do the following, correct?

Export the "Identity" DigiCert from Primary ASA in PKSC12 format and save it locally.
Open the backup/failover ASA in ASDM and go to Cert Management > Identity Certs, and click Add. When I click Add I see in the Trustpoint Name box its automatically using the name "ASDM_TrustPoint3", and its using the "Import" option. Click Browse and select the PKSC12 file I downloaded from the Primary, enter the Passphrase, and then should I leave the checkbox for "Enable CA flag in basic constraints extension"..?
Then click "Add Certificate".
Then, add this command through the CLI --> "ssl trust-point ASDM_TrustPoint3 outside"

CA Certificate:
Our Failover/Backup ASA already has a Certificate from our internal Windows CA Server (*assigned to ASDM_Trustpoint1). When a client PC joins our Domain the AD server automatically pushes a Cert to their machine from that Windows CA server. This is the only certificate under CA Certs on the Failover ASA.

The Primary ASA has a Cert from the CA server (*ASDM_Trustpoint1) as well as the DigiCert (*ASDM_Trustpoint3).

Since it doesn't appear that CA certs can be Exported, do I need to get a copy of the original DigiCert and add that to the Failover as well?

Thanks again for the reply and the links, much appreciated!

-Matt

David Castro F. · ‎11-05-2018

Hello Matthew,

Let me answer all your questions below:

Identity Certificate: Do all those steps but on step 3, please proceed to check the "Enable CA flag in basic constraints extension", below I will paste the reason:

"Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default. The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. Bypass this requirement by unchecking the option."

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Here you can see a CLI approach to do the export and import as well:

https://knowledge.digicert.com/solution/SO5091.html

CA Certificate:
This looks good and should be enough.

Since it doesn't appear that CA certs can be Exported, do I need to get a copy of the original DigiCert and add that to the Failover as well?

The PKCS12 should have the "certificate chain" which is the identity certificate/Intermediate CA/Root CA, so you dont need to export the digit cert CA certificate from the primary, the PKCS12 will install it.

Keep me posted!

Please qualify all the helpful answers and mark as correct if it solved the issue,

Regards,

David Castro

Matthew Martin · ‎11-05-2018

Excellent, thanks David.

That did it, I no longer receive the Cert warning and I can login to VPN just fine.!

Thanks Again,
Matt

David Castro F. · ‎11-05-2018

Hi Matt,

Thats great man that it got resolved.

Thanks!

David Castro,

armando.pariota · ‎12-08-2019

My solution has been to remove the CSR in pending status and create a new one with the same configuration but without the flag on "Enable CA flag in basic constraints extension".