Management Tunnel certificate

royhog · ‎10-03-2024

Hello,

I am trying to get a management VPN tunnel working for remote clients. They currently use per user Secure Client for remote work and i don't want to interfere with that. We have a 3rd party ssl certificate on our WAN interface assigned to our vpn url vpn.hostname.com. I am able to use the identity cert from that certificate and install it into the personal trust store on my test laptop and the mgmt tunnel works properly. I know this is not best practice, so i want to generate a certificate with my Microsoft CA and install it via gpo so it will authenticate the mgmt tunnel without user intervention. If i create the CSR on the ASA and use the same vpn.hostname.com for the Certificate subject, then generate and install the identity certificate on the asa, will this affect the existing 3rd party certificate? I already added the CA certificate of my Microsoft CA to the asa. This is the first mgmt tunnel i have ever configured and i appreciate any advice.

ccieexpert · ‎10-03-2024

Hello you dont need to install a certificate from the MS CA on the ASA.. Just import the CA cert from MS CA onto the ASA into a new trustpoint (dont change anything for exisitng trustpoing). Once you do that it will send MSCA root ca in the cert request in SSL negotiations.

It is explained here.. Please let me know if you have any questions.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

** Please rate as helpful if this was useful. Mark as Solution if solved your problem **

I am reachable at Contact me

royhog · ‎10-07-2024

Thanks ccieexpert, I added the CA cert to the ASA with it's own trustpoint, but when i try to connect to the tunnel group, i get a certificate validation error and it says no valid certificates are available.

ccieexpert · ‎10-08-2024

can you please grab a DART bundle from the client and maybe you can add the snip from the ASA config.

royhog · ‎10-08-2024

I can't share the dart bundle due to company security policy. Do you have suggestions of what to look for in the dart bundle? I never installed a machine certificate in my client computer. That is why i was thinking i needed an identity cert from the asa. Here is a snippet of my vpn config

group-policy mgmt-gp internal
group-policy mgmt-gp attributes
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value anyconnect-split-tunnel
default-domain value domain.local
client-bypass-protocol enable
address-pools value anyconnect
anyconnect-custom ManagementTunnelAllAllowed value true
webvpn
anyconnect profiles value mgmt type vpn-mgmt

tunnel-group mgmt type remote-access
tunnel-group mgmt general-attributes
default-group-policy mgmt
tunnel-group mgmt webvpn-attributes
authentication certificate
group-alias mgmt
group-url https://vpn.domain.com/mgmt enable
without-csd

webvpn
enable Outside
anyconnect-custom-attr ManagementTunnelAllAllowed description ManagementTunnelAllAllowed
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/cisco-secure-client-win-5.x.x.x-webdeploy-k9.pkg 1
anyconnect profiles AnyconnectClientProfile disk0:/anyconnectclientprofile.xml
anyconnect profiles anyconnect_client_profile disk0:/anyconnect_client_profile.xml
anyconnect profiles management-vpn-profile disk0:/mgmtprofile.vpnm
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable