10-10-2022 04:14 AM
Hi Team,
I have configured Cisco Anyconnect VPN on Cisco FTD being managed by Cisco FMC. The Cisco Anyconnect VPN is working fine with AAA (local) authentication. But now I would like to change the authentication method to Machine Authentication. I have done the following:
1) Users connect to Cisco Anyconnect VPN: vpn.example.com;
2) The vpn.example.com is a 3rd Party signed certificate; when users connect to Cisco Anyconnect VPN they do not get any certificate error;
For Machine Authentication:
3) I have uploaded the Internal Root-CA to the Trusted CA of the FTD;
4) The Windows 10 machine is getting the correct client certificate from Internal Root-CA;
5) In Anyconnect Profile XML file I have included the following settings:
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>true</CertificateStoreOverride>
<CertificateMatch>
<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>my-root-ca</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
When the user is trying to get authenticated they get the error "No valid certificates available for authentication". I have used the following debug command's but I can't get useful information about the error:
debug webvpn 255
debug webvpn anyconnect 255
debug crypto ca 255
Any documentation or help will be highly appreciated.
Thanks & Regards,
Sam
Solved! Go to Solution.
10-10-2022 08:10 AM
You welcome. Yes, I would say you do still need to create that trust point. However, that trust point won't be bind to the FTD outside interface. On the outside interface of the FTD you will still have the public 3rd party cert.
10-10-2022 05:22 AM
You would need to create a trust point on the FTD and enrol its identity certificate through you internal PKI. Please take a look at this post of mine (step 6) and let us know if any further question:
FMC AnyConnect SSL VPN | Blue Network Security (bluenetsec.com)
10-10-2022 07:11 AM
Hi Aref,
Thanks for your reply. Do I still have to do this step (step 6) if I'm using 3rd Party Signed Certificate for my VPN connection? Under "Device Certificates" I have selected the 3rd Party Signed certificate so that the users don't get the certificate error.
Thanks & Regards,
Sam
10-10-2022 08:10 AM
You welcome. Yes, I would say you do still need to create that trust point. However, that trust point won't be bind to the FTD outside interface. On the outside interface of the FTD you will still have the public 3rd party cert.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide