Thanks for your reply, Randy.

Through looking into existing deployment of anyconnect, as I understand that CA certificate is used for client authentication. ASA and anyconnect client have the certificates which are issued by the same Certificate authority so that anyconnect client and ASA could trust each other.

Please correct me if i have any misunderstanding for it.

But i still am a little confused that how identity certificates work. I could see that identity certificates always are binding to the interface which is to receive ssl vpn connection request.

Hi Martin,

You are right, the CA certificates are used for certificates authentication. See an example below:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

The Identity certificates are attached to the interface with the purpose to make the ASA a trusted server, for example if you have an identity certificate with the CN vpn.cisco.com the Anyconnect users needs to type that domain to connect and avoid any pop-up of untrusted connections.  I hope that answer your question.

Cheers,

-Randy-

Hi Randy,

If I do not use certificate authentication for anyconnect client, do i have to install certificate and bind to the interface?

It seems that pop-up of untrusted connections is a bug for specific anyconnect version from previous discussions below.

https://supportforums.cisco.com/discussion/12328761/cisco-anyconnecthow-hide-security-warning-untrusted-certificate

https://supportforums.cisco.com/document/12507066/security-warning-untrusted-certificate-when-trying-connect-asa-using-anyconnect

br,

Martin

Hi Martin, 

Is not a bug , is the way the certificates works, certificates function similarly to identification cards such as passports. For example, passports are issued by recognized government authorities, whereas digital certificates are issued by recognized certification authorities (CAs). The ASA is not a Certificate authority, hence if you try to connect to the ASA without a certificate previously installed is expected to  get the pop-up of "untrusted connections.".

Actually what you are doing when you install the certificate on the ASA, is making this unit a trusted device. 

Cheers,

-Randy, 

Hi,

I happen to read this post and I have some additional question. Does the ASA need both 1) Identity cert and 2) CA cert for VPN to function? 

regards,

Kelvin

Kelvin

I do not want to be overly picky but do want to be very careful in answering your question, especially if the crux of your question is about the VPN functioning. This discussion is about setting up the ASA for the AnyConnect client for Remote Access VPN. AnyConnect VPN will function without a CA cert and Identity cert by having the ASA generate a self signed cert. So the CA cert and Identity cert are not required for the VPN to function. But if you run AnyConnect with the self signed cert then each time the user initiates the VPN they will receive a warning message about an untrusted server. If we want to avoid having that warning message then we need to install the CA cert and the Identity cert.

HTH

Rick

Thanks for the clear explanation Rick!

You are welcome.

HTH

Rick