Thanks Tarik,

The link shows the template for the client. I will need that cert to be pushed to the Windows 7 clients via GPO etc. What should be the template for the cert that I need on the ASA?

Thanks.

Thanks Tarik,

So I modified the User template and pushed a cert created by the new template to a Win XP client. My ASA has a web server template cert from the same 2008 CA, but I can not connect, I get Certificate Validation error. On the anyconnect log I see it goes through all the certs in the machine store and then says that no valid cert was found. Also the log has entries saying it received unrecognized content type and Global_Error_Unexpected. I will regenerate and reinstall all the certificates, may be upgrade the anyconnect image and try again.

Hamood,

If you pushed the cert through to GPO then it may have placed it in the user account store. Please use mmc to see if you can install this cert in the machine store and test again.

Thanks,

Tarik Admani
*Please rate helpful posts*

It did get pushed into the user store. I imported it into the machine store. Still got validation error.

Thanks.

Hamood,

Do you have "ssl certificate-authentication interface interface-name port port-number"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1514061

Thanks,

Tarik Admani
*Please rate helpful posts*

Thank you for helping me Tarik,

I do have that command configured on the outside int,  port 443.

Can you post your running configuration? We're you able to authenticate using password before?

Sent from Cisco Technical Support iPad App

                   Here's the running config. If I change authentication method to aaa in connection profile I can connect fine. There's load-balancing config in there but I'm not trying to connect to the virtual IP for now.

Thanks,

See if you can download the profile editor and follow these steps:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wpxref49627

Are you an admin on the computer? See if forcing certificate store override allows you to connect. Also can you post a screenshot of the error and a screenshot of the certificate details.

If the above step doesnt work then collect a dart bundle so we can see what is going on.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac08managemonitortbs.html

Thanks,

Tarik Admani
*Please rate helpful posts*

                   Hello Tarik,

I configured a profile and specified All stores in it but it did not work. The anyconnect client finds two certs but I still get validation error.

Thanks,

Hemood,

Can you try to manually request a user cert from the CA and then install that and the private key on the laptop? Give that a try and let me know what happens.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

That worked. I requested a certificate from the CA web interface manually and installed it on the laptop.

Thanks.