09-05-2012 09:53 AM
I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.)
There is also a separate certificate server located on the inside LAN that is used for internal purposes. All client workstations have identity certs from this internal server.
We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.
Can this be done? I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA. The other one is only to identify the users. The ASA did allow me to import the internal CA cert.
If it can be done, could someone point me to an example config?
Thanks,
-Mathew
Solved! Go to Solution.
09-05-2012 11:05 AM
Hello Matthew,
Your statement is correct.
You can have the GoDaddy certificate to identify the ASA to the clients, this Identity certificate is the one you apply on the outside interface.
Then, you can have certificate from a different CA (Certificate Authority), in your case and internal CA to identify the clients to the ASA. You just need to install the Root and Intermediate (if any) certificates of this new CA in your ASA.
The ASA will check the client's identity against all of the CA certificates installed in it until there is a validation of the certificate or it denies the connection.
You will need to use certificate authentication in the tunnel group used by your Anyconnect clients:
tunnel-group Anyconnect-group webvpn-attributes
authentication certificate
I hope this helps.
Daniel Moreno
VPN
09-05-2012 11:05 AM
Hello Matthew,
Your statement is correct.
You can have the GoDaddy certificate to identify the ASA to the clients, this Identity certificate is the one you apply on the outside interface.
Then, you can have certificate from a different CA (Certificate Authority), in your case and internal CA to identify the clients to the ASA. You just need to install the Root and Intermediate (if any) certificates of this new CA in your ASA.
The ASA will check the client's identity against all of the CA certificates installed in it until there is a validation of the certificate or it denies the connection.
You will need to use certificate authentication in the tunnel group used by your Anyconnect clients:
tunnel-group Anyconnect-group webvpn-attributes
authentication certificate
I hope this helps.
Daniel Moreno
VPN
09-05-2012 11:19 AM
Matthew,
In addition to the previous post (5 stars), please check this Doc for further reference:
AnyConnect Certificate Based Authentication
Keep us posted
Please rate any post you find useful.
09-05-2012 12:30 PM
Thanks Daniel, that was exactly what I needed to know.
Thanks for the link, Javier.
-Mathew
09-05-2012 12:34 PM
You are welcome
Nice to know you found what you were looking for.
Have a good one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide