ā05-23-2024 03:16 AM - edited ā05-23-2024 03:17 AM
We currently use certificate based authentication for our end clients
We want to change the certificate that the user uses to authenticate with
Can we add the new CA cert to the ASA, to work alongside the existing one.
How do we force users to use a specific certificate? Is this done with cert matching?
Many thanks
ā05-23-2024 03:36 AM - edited ā05-23-2024 03:36 AM
Sure you can
Yoh can even use both cert for anyconnect
ā05-23-2024 04:16 AM
@is.infrastructure1 you can add another certificate to the ASA.
From the client computer perspective, if they have multiple certificates (the old one and the new one), then create different XML profiles using the Secure Client/AnyConnect profile editor and then create certificate matching rules (match on attribute from the required certificate). When the client connects it will then use that XML profile, which willl then present that certificate (as per the matching rules) to the ASA for authentication.
ā05-23-2024 06:37 AM
Thanks guys. Very helpful. Is there a specific type of certificate required to import on to the ASA?
I am getting the following error message when loading the certificate onto the ASA:
% Error in saving certificate: status = FAIL
ā05-23-2024 06:45 AM
https://m.youtube.com/watch?v=Er5toSsbM8I
This video how you config Cert. Auth anyconnect'
You need to add root CA to ASA.
MHM
ā05-23-2024 06:54 AM
@is.infrastructure1 what have you configured? Provide a screenshot for context.
You need to create a trustpoint, use terminal enrollment. Authenticate the trustpoint and paste the CA certificate.
ā06-04-2024 12:35 AM
Thanks guys.
I've been able to import the certificate to the ASA
Is there a way of proving the connection is using a specific certificate?
I cant see anything in the 'show vpn-sessiondb detail anyconnect......' command
ā06-04-2024 12:43 AM
Can I see show vpn sessiondb anyconnect detail
MHM
ā06-04-2024 12:55 AM
ā06-04-2024 03:12 AM
Debug crypto ca 14
try disconnect and re-connect Anyconnect
then check CA
I will check simple way via show and update you
MHM
ā06-04-2024 06:54 AM
As I mention there is no direct way
You can use
Debug crypto ca 14 or 255
Or
Debug webvpn anyconnect 255
Look for log message
Asa-7-717030
Thanks
MHM
ā06-04-2024 04:06 AM
@is.infrastructure1 I am not sure there is an obvious way to check, but you could check the SYSLOG message generated, such as the following which confirms which trustpoint was matched.
%ASA-6-725016: Device selects trust-point <TRUSTPOINT NAME> for peer-type interface
You could then send just that message to the console to view or a syslog server. Example:-
logging list CONSOLE-LIST message 725016
logging console CONSOLE-LIST
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide