Cisco ASAv and AnyConnect Certificate Authentication Failer

Vadim Semenov · ‎11-07-2014

Hi, all,

Could you please help with Anyconnect settings about Certificate Authentication. I get Certificate Validation Failure. I've put CA cert in Cisco ASA, enroll cisco ASA certificate in CA server. Also I download user certificate from CA. I disable automatic sertificate selection on AnyConnect and i manually choose my sertificate and just the same i get Certificate Validation Failure.

I achieved that i succesfully authenticate through Firefox, but through IE and Chrome i can't do it.

help please

My config and succesful authentication is bellow:

ciscoasa# debug web 255

INFO: debug webvpn enabled at level 255.

ciscoasa# Certificate mapping found for webvpn group AnyConnectTest

Certificate mapping found for webvpn group AnyConnectTest

webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_portal.c:ewaFormSubmit_webvpn_login[3805]

webvpn_portal.c:webvpn_login_validate_net_handle[2738]

webvpn_portal.c:webvpn_login_allocate_auth_struct[2758]

webvpn_portal.c:webvpn_login_assign_app_next[2776]

webvpn_portal.c:webvpn_login_cookie_check[2792]

webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2838]

webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2871]

webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0AnyConnectTest, tg_name =

webvpn_portal.c:webvpn_login_set_tg_cookie_form[2933]

webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2985]

webvpn_portal.c:webvpn_login_resolve_tunnel_group[3059]

webvpn_login_resolve_tunnel_group: tgCookie = 0AnyConnectTest

webvpn_login_resolve_tunnel_group: tunnel group name from url

webvpn_login_resolve_tunnel_group: TG_BUFFER = AnyConnectTest

webvpn_portal.c:webvpn_login_negotiate_client_cert[3187]

webvpn_portal.c:webvpn_login_check_cert_status[3286]

Tunnel Group: AnyConnectTest, Client Cert Auth Success.

webvpn_portal.c:webvpn_login_cert_only[3334]

webvpn_portal.c:webvpn_login_primary_username[3359]

webvpn_login_primary_username: primary prefill suspending

webvpn_portal.c:ewaFormSubmit_webvpn_login[3805]

webvpn_portal.c:webvpn_login_validate_net_handle[2738]

webvpn_portal.c:webvpn_login_allocate_auth_struct[2758]

webvpn_portal.c:webvpn_login_assign_app_next[2776]

webvpn_portal.c:webvpn_login_cookie_check[2792]

webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2838]

webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2871]

webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0AnyConnectTest, tg_name =

webvpn_portal.c:webvpn_login_set_tg_cookie_form[2933]

webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2985]

webvpn_portal.c:webvpn_login_resolve_tunnel_group[3059]

webvpn_portal.c:webvpn_login_negotiate_client_cert[3187]

webvpn_portal.c:webvpn_login_check_cert_status[3286]

Tunnel Group: AnyConnectTest, Client Cert Auth Success.

webvpn_portal.c:webvpn_login_cert_only[3334]

webvpn_portal.c:webvpn_login_primary_username[3359]

webvpn_login_primary_username: primary prefill resuming, WEBVPN_AUTH_USERNAME = e=v.semenov@domain,cn=Test User,ou=Updates,ou=Tech,ou=$$$,dc=$$$,dc=local

webvpn_portal.c:webvpn_login_primary_password[3450]

webvpn_portal.c:webvpn_login_secondary_username[3477]

webvpn_portal.c:webvpn_login_secondary_password[3560]

webvpn_portal.c:webvpn_login_extra_password[3608]

webvpn_portal.c:webvpn_login_set_cookie_flag[3627]

webvpn_portal.c:webvpn_login_set_auth_group_type[3650]

webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4

webvpn_portal.c:webvpn_login_aaa_not_resuming[3728]

webvpn_portal.c:http_webvpn_kill_cookie[1120]

webvpn_auth.c:http_webvpn_pre_authorize[2174]

webvpn_add_auth_handle: auth_handle = 49

WebVPN: started user authorization...

webvpn_auth.c:webvpn_aaa_callback[5236]

WebVPN: AAA status = (ACCEPT)

webvpn_portal.c:ewaFormSubmit_webvpn_login[3805]

webvpn_portal.c:webvpn_login_validate_net_handle[2738]

webvpn_portal.c:webvpn_login_allocate_auth_struct[2758]

webvpn_portal.c:webvpn_login_assign_app_next[2776]

webvpn_portal.c:webvpn_login_cookie_check[2792]

webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2838]

webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2871]

webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0AnyConnectTest, tg_name =

webvpn_portal.c:webvpn_login_set_tg_cookie_form[2933]

webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2985]

webvpn_portal.c:webvpn_login_resolve_tunnel_group[3059]

webvpn_portal.c:webvpn_login_negotiate_client_cert[3187]

webvpn_portal.c:webvpn_login_check_cert_status[3286]

Tunnel Group: AnyConnectTest, Client Cert Auth Success.

webvpn_portal.c:webvpn_login_cert_only[3334]

webvpn_portal.c:webvpn_login_primary_username[3359]

webvpn_portal.c:webvpn_login_primary_password[3450]

webvpn_portal.c:webvpn_login_secondary_username[3477]

webvpn_portal.c:webvpn_login_secondary_password[3560]

webvpn_portal.c:webvpn_login_extra_password[3608]

webvpn_portal.c:webvpn_login_set_cookie_flag[3627]

webvpn_portal.c:webvpn_login_set_auth_group_type[3650]

webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4

webvpn_portal.c:webvpn_login_aaa_resuming[3680]

webvpn_auth.c:http_webvpn_post_authorize[2308]

http_webvpn_post_authorize: AUTH_ACCEPT, WEBVPN_AUTH_USERNAME = e=v.semenov@domain,cn=Test User,ou=Updates,ou=Tech,ou=$$,dc=$$,dc=local

webvpn_auth.c:http_webvpn_auth_accept[2705]

Connection to group (AnyConnectTest) requires certificate - certificate found

webvpn_session.c:http_webvpn_create_session[220]

WebVPN session created!

webvpn_remove_auth_handle: auth_handle = 49

WebVPN Cookie:

Default Profile - profiles/AnyConnectAsav1_Client_profile.xml

Profile Hash - 358A49C9A46BC54951AA140503577B6A604BA833

webvpn_generate_profiles(): Unable to find required profile(s)!

webvpn_portal.c:ewaFormServe_webvpn_cookie[2257]

webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_auth.c:webvpn_auth[726]

webvpn_session.c:webvpn_update_idle_time[1832]

WebVPN: session has been authenticated.

webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0

webvpn_session.c:webvpn_update_idle_time[1832]

webvpn_allocate_auth_struct: net_handle = 0x00007fffbe7990f0

webvpn_auth.c:webvpn_auth[726]

webvpn_session.c:webvpn_update_idle_time[1832]

WebVPN: session has been authenticated.

webvpn_free_auth_struct: net_handle = 0x00007fffbe7990f0

webvpn_allocate_auth_struct: net_handle = 0x00007fffbe7990f0

webvpn_free_auth_struct: net_handle = 0x00007fffbe7990f0

webvpn_session.c:webvpn_update_idle_time[1832]

webvpn_allocate_auth_struct: net_handle = 0x00007fffbeaaac50

webvpn_auth.c:webvpn_auth[726]

WebVPN: session has been authenticated.

webvpn_portal.c:http_webvpn_kill_cookie[1120]

webvpn_auth.c:webvpn_auth[726]

WebVPN: session has been authenticated.

webvpn_session.c:http_webvpn_destroy_session[1661]

webvpn_free_auth_struct: net_handle = 0x00007fffbeaaac50

webvpn_allocate_auth_struct: net_handle = 0x00007fffbeaaac50

webvpn_free_auth_struct: net_handle = 0x00007fffbeaaac50

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint AnyConnect_VPN_2
enrollment terminal
fqdn 192.168.1.127
subject-name CN=192.168.1.127,OU=Tech,O=$$$
keypair AnyConnect_VPN_Key
crl configure
crypto ca trustpoint AnyConnect_VPN
enrollment terminal
fqdn 192.168.1.127
subject-name CN=ciscoasa
ip-address 192.168.1.127
keypair AnyConnect_VPN_Key
crl configure
crypto ca trustpool policy
crypto ca certificate map AnyCon 10
subject-name attr ou eq spb
crypto ca certificate chain AnyConnect_VPN_2
certificate 51c79d940000000000b0
3082060b 308204f3 a0030201 02020a51 c79d9400 00000000 b0300d06 092a8648
86f70d01 01050500 30423115 3013060a 09922689 93f22c64 01191605 6c6f6361
6c311630 14060a09 92268993 f22c6401 19160662 656c7465 6c311130 0f060355

quit
certificate ca 2b532289c312d28b474f3d0e0680376b
30820374 3082025c a0030201 0202102b 532289c3 12d28b47 4f3d0e06 80376b30
0d06092a 864886f7 0d010105 05003042 31153013 060a0992 268993f2 2c640119
16056c6f 63616c31 16301406 0a099226 8993f22c 64011916 0662656c 74656c31
11300f06 03550403 13084265 6c74656c 4341301e 170d3131 31303139 30383532

quit
crypto ca certificate chain AnyConnect_VPN
certificate 51c79d940000000000b0
3082060b 308204f3 a0030201 02020a51 c79d9400 00000000 b0300d06 092a8648
86f70d01 01050500 30423115 3013060a 09922689 93f22c64 01191605 6c6f6361
6c311630 14060a09 92268993 f22c6401 19160662 656c7465 6c311130 0f060355

quit
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint AnyConnect_VPN
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.3 source inside
ntp server 192.168.0.3 source inside
ssl trust-point AnyConnect_VPN inside
ssl trust-point AnyConnect_VPN outside
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2
anyconnect profiles AnyConnectAsav1_Client_profile disk0:/anyconnectasav1_client_profile.xml
anyconnect profiles AnyConnectTest_client_profile disk0:/AnyConnectTest_client_profile.xml
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
internal-password enable
smart-tunnel list AllExternalApplications All-Applications * platform windows
smart-tunnel list Smart-Applic-List RDP mstsc.exe platform windows
certificate-group-map AnyCon 10 AnyConnectTest
group-policy GroupPolicy_AnyConnectTest internal
group-policy GroupPolicy_AnyConnectTest attributes
banner value You connect to ASAv_1
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
group-lock value AnyConnectTest
split-tunnel-policy excludespecified
split-tunnel-network-list value Splite
default-domain value $$$
webvpn
anyconnect profiles value AnyConnectAsav1_Client_profile type user
smart-tunnel auto-start AllExternalApplications
username user1 password tJsDL6po9m1UFs.h encrypted privilege 15
username user3 password cmIVqIrgboX9/Nz/ encrypted
username user3 attributes
service-type remote-access
username user2 password G1SInyx0A0./Dx3t encrypted
username user2 attributes
service-type remote-access
service-type remote-access
tunnel-group AnyConnectTest type remote-access
tunnel-group AnyConnectTest general-attributes
address-pool AnyConnectPool_1
default-group-policy GroupPolicy_AnyConnectTest
username-from-certificate use-entire-name
tunnel-group AnyConnectTest webvpn-attributes
authentication certificate
group-alias AnyConnectTest enable
tunnel-group-map enable rules
tunnel-group-map default-group AnyConnectTest
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Marvin Rhoads · ‎11-07-2014

The ASA 1000v does not support remote access VPN. Reference.

Vadim Semenov · ‎11-07-2014

Hello, Marvin,

your reference says the opposite

ASAv with 1 Virtual CPU

IPsec remote access VPN using IKEv2:

– Standard license: 2 sessions.

– Premium license: 250 sessions.

IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2:

Standard and Premium licenses: 250 sessions.

Marvin Rhoads · ‎11-08-2014

The ASAv and ASA 1000v are not the same. The ASA 1000v runs within the data center as a sort of a plug-in on the Nexus 1000v switch and is a firewall designed primarily to protect 'east-west' traffic between servers. The ASAv is a virtual ASA and supports a more complete set of features, including remote access VPN.

Vadim Semenov · ‎11-09-2014

Marvin,

i'm sorry because i was wrong in name of this discussion, i'm talking about ASAv... Do you see any errors in config which can be reason of sertificate validation failure?

Marvin Rhoads · ‎11-09-2014

OK.

Can you confirm from examining the client certificate that the Organizational Unit (OU) is set to "spb"?

Are you also seeing the username on the client certificate as one of your configured users (user1, user2 or user3)?

You may find this link useful. It's about IKEv2 and certificate authentication but the certificate bits should be pretty much identical.

Vadim Semenov · ‎11-10-2014

Marvin,

OU is set to spb, see attached screenshot please.

I'm using domain user ID so on Cisco ASAv i created user, which username is the same how in user certificate (see attached screenshot).

username v.semenov@domain password <password>

I used AnyConnect wizard and all configuration regarding ikev2 and etc is correct. Most of imazing is cartificate validation is successful through Mozilla and in attached logs see what Mozilla automaticly using v.semenov@domain account.

Marvin Rhoads · ‎11-10-2014

Hmm OK. It's looking like a potential bug on the client side.

If you're using AnyConnect perhaps you can use the Diagnostic and Reporting Tool (DART) module) and open a case with Cisco. They can run that through their debug analyzers to get a better idea of the root cause.

Vadim Semenov · ‎11-11-2014

Marvin,

i got a new results.

My user certificate was without included private key. I requested new certificate through mmc console and succesfully got certificate with private key and I'm succesfully authenticated but only once! I can succesfully authenticated through any browsers, but now i can't connect through Anyconnect client.

Debug show this info:

ciscoasa# debug webvpn 255
INFO: debug webvpn enabled at level 255.

I'm trying to connect
ciscoasa# Certificate mapping found for webvpn group AnyConnectTest

Vadim Semenov · ‎11-13-2014

All works properly when i try to setup certificate authentication on asa version 931, not 922.