Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2575
Views
5
Helpful
3
Replies

FTD/FMC: Cisco Anyconnect with Machine Certificate Authentication

Go to solution
IamSamSaul
Level 1
Level 1

‎10-10-2022 04:14 AM

Hi Team,

I have configured Cisco Anyconnect VPN on Cisco FTD being managed by Cisco FMC. The Cisco Anyconnect VPN is working fine with AAA (local) authentication. But now I would like to change the authentication method to Machine Authentication. I have done the following:

1) Users connect to Cisco Anyconnect VPN: vpn.example.com;

2) The vpn.example.com is a 3rd Party signed certificate; when users connect to Cisco Anyconnect VPN they do not get any certificate error;

For Machine Authentication:

3)  I have uploaded the Internal Root-CA to the Trusted CA of the FTD;

4) The Windows 10 machine is getting the correct client certificate from Internal Root-CA;

5) In Anyconnect Profile XML file I have included the following settings:

<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>true</CertificateStoreOverride>

<CertificateMatch>
<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>my-root-ca</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>

When the user is trying to get authenticated they get the error "No valid certificates available for authentication". I have used the following debug command's but I can't get useful information about the error:

debug webvpn 255
debug webvpn anyconnect 255
debug crypto ca 255

Any documentation or help will be highly appreciated.

Thanks & Regards,

Sam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎10-10-2022 08:10 AM

You welcome. Yes, I would say you do still need to create that trust point. However, that trust point won't be bind to the FTD outside interface. On the outside interface of the FTD you will still have the public 3rd party cert.

View solution in original post

3 Replies 3

Go to solution
Aref Alsouqi
VIP
VIP

‎10-10-2022 05:22 AM

You would need to create a trust point on the FTD and enrol its identity certificate through you internal PKI. Please take a look at this post of mine (step 6) and let us know if any further question:

FMC AnyConnect SSL VPN | Blue Network Security (bluenetsec.com)

0 Helpful

Go to solution
IamSamSaul
Level 1
Level 1
In response to Aref Alsouqi

‎10-10-2022 07:11 AM

Hi Aref,

Thanks for your reply. Do I still have to do this step (step 6) if I'm using 3rd Party Signed Certificate for my VPN connection? Under "Device Certificates" I have selected the 3rd Party Signed certificate so that the users don't get the certificate error.

Thanks & Regards,

Sam

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-10-2022 08:10 AM

You welcome. Yes, I would say you do still need to create that trust point. However, that trust point won't be bind to the FTD outside interface. On the outside interface of the FTD you will still have the public 3rd party cert.

Customers Also Viewed These Support Documents