Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
5
Helpful
4
Replies

FMC managed FTD: Remote Access VPN with client certificate and Yubikey

mattw
Level 1
Level 1

‎10-12-2021 04:15 AM

Hi,

I have a pair of FTDv (FMC managed) and I need to configure an AnyConnect remote access VPN with client certificates AND with Yubikey.

Had anyone done this before? Can anyone point me at a guide please?

Many thanks in advance,

Matt.

Labels:
0 Helpful
4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-12-2021 11:40 AM

Hi @mattw,

I never used Yubikey, but, by doing a quick search, I see that it integrates like any other MFA solution. I found this article on Yubico website.

If this is the case, you integrate FTD with MFA in standard way. You can find several integration guides for this on this community. On top of that you integrate FTD and AnyConnect with client certificate, so you'll actually have triple authentication (client cert + username/password + MFA). Take a look at this post.

BR,

Milos

mattw
Level 1
Level 1
In response to Milos_Jovanovic

‎10-13-2021 08:56 AM

Hi Milos,

Thank you for your reply and links.

Looks like multi-certificate was only supported from Firepower 7.x so I will upgrade my lab FMC and FTD and see what we have.

Thanks again,

Matt.

0 Helpful

mattw
Level 1
Level 1
In response to mattw

‎10-17-2021 11:47 PM

Hi @Milos_Jovanovic, all,

OK, so I've got the Yubikey certificate working on it's own (with the user cert loaded onto it).

I can also use just the machine certificate to authenticate (had to enable the "Windows Certificate Store Override" option for this to work)

I've also got it working with AAA+cert using AD. By tweaking the profile.xml I can make AnyConnect use the user certificate or the machine machine and it works fine so I know the certificate side of things is OK for both the user cert and the machine cert.

However, when I change it to multiple certificates it doesn't work. I just get the error in AnyConnect: "Certificate Validation Failure".

In the profile.xml file, it doesn't matter whether I set "Client Certificate Store" to All or User or Machine, it still fails.

I've not done much with certificates and AnyConnect. Do I need to make changes to the "Certificate Pinning" or "Certificate Matching" or "Certificate Enrollment" sections within the anyconnect profile?

Seems I'm so close but not quite there....

Any help is greatly appreciated!!

 

0 Helpful

mattw
Level 1
Level 1
In response to mattw

‎10-18-2021 06:32 AM

This is now resolved.

The issue was to do with the setting for automatic certificate selection. Despite my anyconnect profile having auto cert selection enabled, the local AnyConnect settings had it disabled which stopped it from working. Now it's working like a charm.

On the FTD (well the FMC), you simply choose multiple certificates (must be on FTD version 7+), make sure you have done your certificate enrollment properly and the root cert is on FTD, then just make sure your profile.xml and local AnyConnect config is good.

There are restrictions to do with key length and AnyConnect version but that's all in the guide.

Cheers,

Matt.

0 Helpful
Customers Also Viewed These Support Documents