Hi 

Thanks for your reply.  

So we can install a certificate manually on the client that the ASA will trust, assign it to the Anyconnect app, set the ASA to authenticate the VPN via certificate and this will work correctly.

If I understand you correctly, if the certificate wasn't installed on a client and the ASA was expecting certificate authentication, then the VPN wouldn't successfully connect at all.  It won't prompt to install a certificate based on the public key of the certificate installed on the ASA as I outlined above.  The only way a certificate could be installed on the fly when connecting would be is if there was an auto enrollment policy in place and it requested a certificate on the fly from the CA.

Am I understanding correctly?

Thanks.

Ok maybe I've explained correctly.

For manual installation, everything clear.

In case a client is connecting through VPN that requires certificate but was not enrolled before connection: I assume that you don't want anybody connecting without a certificate

- You have to create at least 2 policies

1st policy:

 - Users connect through VPN using user/password

 - ASA will accept VPN connection. This VPN has limited access. While the user is connected, ASA/Anyconnect will generate the user certificate by using SCEP protocol between your ASA and your CA server.

 - User certificate is then automatically installed, same for the new VPN connection profile that will require certificate to mount the connection.

Then to answer your question, Yes ASA will do automatic enrollment of user certificate (you need to configure SCEP on your CA server as well).

Is it more clear?

I have done some labs on this topic for some customers. If I found my document related to that topic, I will drop it.

Thanks.

PS: don't forget to rate and mark as correct answer

Hi, 

Okay, yes, that process makes perfect sense, thanks. 

Maybe a slightly different question then; is it possible to do this without a CA environment in your control? I.e. Install a server certificate from a 3rd party CA e.g. Verizon on the ASA,  and install another separate user  certificate from the same 3rd party CA on the clients (same certificate on each client, manually installed). 

I suspect this isn't possible and this is the whole source of my confusion.

Thanks. 

When you say 3rd party, you can do if this 3rd party is offering SCEP enrollment.

You need to verify with your certificate provider.

However you need to have 1 third party that send certificate on ASA and user.

If SCEP is not supported, you need to enroll user certificates manually and deploy it on your clients.

PS: please don't forget to rate and mark as correct answer

Okay, so in short, clients need to enroll to get a certificate, either with a 3rd party or an internal CA.  They mint a certificate on the fly when they connect to the VPN for the first time.

There's no way of using the same certificate from a single CSR to a 3rd party on every single device to connect, there needs to be some kind of enrollment infrastructure in place.

Correct?

My initial thoughts were that I'd have:

- The ASA with one certificate

- The client with a separate certificate

Both generated via a third party CA as there is no internal CA where I am working.

The same client certificate would be installed on each device that needs to connect as to generate a certificate per client is not scaleable (or affordable) with a 3rd party CA.  This is how the ASA would identify the device.

That was my initial design thought, and what I was trying to work out whether was possible.  

From what you say however, the best way of doing this design wise would be to go through the process of setting up the internal CA infrastructure to handle enrollment.  This is also how all the design guides refer to deployment.

Yes better solution with internal CA.