Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8166
Views
14
Helpful
4
Replies

SSL Certificates with AnyConnect

Go to solution
cdowling_bm
Level 1
Level 1

‎08-10-2017 03:55 AM - edited ‎02-21-2020 09:24 PM

Hello,

I have a question about the use of SSL certificates with Cisco Anyconnect.  I have limited knowledge of this technology so apologies for the basic questions.

For customers connecting to a network remotely via an ASA5500X firewall:

- Under what circumstances would/should an SSL certificate be purchased and used?  

- Is a certificate required only when using a clientless VPN?  

- Does it matter if the customer has an Anyconnect Plus or Apex licenses?

Thanks for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-14-2017 12:14 AM

- Under what circumstances would/should an SSL certificate be purchased and used?  

There are two cases where you want to buy a certificate:

a) if you want the server [ssl server] which is the ASA in the case of anyconnect to be identified using a certificate that is signed by a known CA. This is one of the fundamentals of the ssl protocol. Consider like normal driving licenses. The license needs to be signed by the know authority so that you can present your license to someone else. 

Reflecting this on anyconnect. when i connect to the ASA it will present me with its certificate. If that certificate is signed by a know CA. You do not see any warning and SSL continues to protect you. Now if the certificate is signed by someone you do not trust [or it is a self signed certificate [signed by the device itself]] Then you will get a certificate warning and you have the option to continue or No. 

It is a good security practice to get a trusted certificate since that allowing the users to ignore the untrusted certificate error and complete the connection makes you vulnerable to man in the middle attack.

b) In case you want to use the certificate for client authentication. That is you are not satisfied enough with the user entering his password. You can get a certificate for the client, install it on his machine and the ASA can authenticate the client via that certificate.

- Is a certificate required only when using a clientless VPN?  

it is good for the following usages:
- anyconnect

- clientless vpn aka webvpn 

- ipsec site to site tunnel

- anyconnect ikev2 

- asdm access 

// any feature that utilizes ipsec or ssl.

- Does it matter if the customer has an Anyconnect Plus or Apex licenses?

The two are totally different. Please have a look here and see what features are enabled with each one:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

View solution in original post

4 Replies 4

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-10-2017 04:12 AM

Hi,

The SSL protocol mandates that the SSL Server provide the client with a server certificate for the client to perform server authentication. Cisco does not recommend use of a self-signed certificate because of the possibility that a user could inadvertently configure a browser to trust a certificate from a rogue server. There is also the inconvenience to users to have to respond to a security warning when it connects to the secure gateway. It is recommended to use trusted third-party CAs to issue SSL certificates to the ASA for this purpose.

- Under what circumstances would/should an SSL certificate be purchased and used?

 

If you have multiple clients then you would need a SSL client to trust the  server

For more info:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

- Is a certificate required only when using a clientless VPN?

It would be used both for Anyconnect and  Clientless VPN as the certificate is binded to the interface.

- Does it matter if the customer has an Anyconnect Plus or Apex licenses?

No, it has nothing do with the licenses.

Regards,

Aditya

Please rate helpful and mark correct answers

Go to solution
cdowling_bm
Level 1
Level 1
In response to Aditya Ganjoo

‎08-15-2017 01:17 AM

Thanks for your info and help on this.  

0 Helpful

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-14-2017 12:14 AM

- Under what circumstances would/should an SSL certificate be purchased and used?  

There are two cases where you want to buy a certificate:

a) if you want the server [ssl server] which is the ASA in the case of anyconnect to be identified using a certificate that is signed by a known CA. This is one of the fundamentals of the ssl protocol. Consider like normal driving licenses. The license needs to be signed by the know authority so that you can present your license to someone else. 

Reflecting this on anyconnect. when i connect to the ASA it will present me with its certificate. If that certificate is signed by a know CA. You do not see any warning and SSL continues to protect you. Now if the certificate is signed by someone you do not trust [or it is a self signed certificate [signed by the device itself]] Then you will get a certificate warning and you have the option to continue or No. 

It is a good security practice to get a trusted certificate since that allowing the users to ignore the untrusted certificate error and complete the connection makes you vulnerable to man in the middle attack.

b) In case you want to use the certificate for client authentication. That is you are not satisfied enough with the user entering his password. You can get a certificate for the client, install it on his machine and the ASA can authenticate the client via that certificate.

- Is a certificate required only when using a clientless VPN?  

it is good for the following usages:
- anyconnect

- clientless vpn aka webvpn 

- ipsec site to site tunnel

- anyconnect ikev2 

- asdm access 

// any feature that utilizes ipsec or ssl.

- Does it matter if the customer has an Anyconnect Plus or Apex licenses?

The two are totally different. Please have a look here and see what features are enabled with each one:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

Go to solution
cdowling_bm
Level 1
Level 1
In response to Mohammad Alhyari

‎08-15-2017 01:19 AM

Thank you very much for your help and answers. 

0 Helpful
Customers Also Viewed These Support Documents