Complementing may last post..

Christian Jorge · ‎09-27-2015

Good morning

We are facing some issues to connect Anyconnect via certificates.

Our goal is authenticate VPN user with certificate and also with LDAP login. LDAP login / LDAP attribute-map has been working fine before including certificates.

We are using our certificate authority server. Only need to input certificate chain (root / subordinate) (as so identity certificate) on the firewall and the performing the same in all the VPN client machines.

VPN clients searchs for fqdn related to firewall interface. Firewall identity certificate presents DN with this public name (ex: firewall.domain.com)

But even trying this, VPN connection fails in first steps, like not recognizing certificates. I'm afraid that both sides are not using the exact certificate template or something is mismatched.

...and still presenting that warning/not trusted certificate message.

Follow errors and configuration

--------------------------------------------------------------------------------------------------------------------------------------------------------

#Firewall version:

Cisco Adaptive Security Appliance Software Version 9.1(6)4

#Anyconnect version: anyconnect-win-3.1.10010-k9.pkg

#Configuration

crypto ca trustpoint VPN_Root_CA
enrollment terminal

crypto ca trustpoint VPN_Sub_CA
enrollment terminal
subject-name CN=firewall.domain.com,O=Enterprise,C=BR,St=SP
keypair VPN_CA_keypair

crypto ca trustpool policy

tunnel-group VPN_ANYCONNECT_Client type remote-access
tunnel-group VPN_ANYCONNECT_Client general-attributes
authentication-server-group VPN-LDAP-AUTH

authorization-required
tunnel-group VPN_ANYCONNECT_Client webvpn-attributes
authentication aaa certificate

ssl trust-point VPN_Sub_CA internet
webvpn
ssl server-version tlsv1

---------------------------------------------------------------------------------------

#Debug messages

firewall/pri/act# Public archive directives retrieved from cache for index 1.
CERT_API: PKI session 0x0f4aa721 open Successful with type SSL

CERT-C: E ../cert-c/source/certobj.c(870) : Error #722h

CRYPTO_PKI: can not set ca cert object (0x722)
SSL verify callback: Failed to add the ID cert to the PKI sessionCERT_API: Close session 0x0f4aa721 synchronously
CERT_API: PKI session 0x0fb518d9 open Successful with type SSL

CERT-C: E ../cert-c/source/certobj.c(1516) : Error #701h

CERT-C: E ../cert-c/source/certobj.c(1528) : Error #72ah

CERT-C: E ../cert-c/source/certobj.c(874) : Error #72ah

CRYPTO_PKI: can not set ca cert object (0x72a)
SSL verify callback: Failed to add the ID cert to the PKI sessionCERT_API: Close session 0x0fb518d9 synchronously
Public archive directives retrieved from cache for index 1.
Public archive directives retrieved from cache for index 1.

---------------------------------------------------------------------------------------

6 Sep 25 2015 19:15:47 725003 201.23.147.37 21750 SSL client internet:201.23.147.37/21750 request to resume previous session.

Any ideas?

Regards

Christian

pjain2 · ‎09-27-2015

Is the ASA's IS cert generated from a 3rd part CA?

if not, then the untrusted cert warning is expected

Christian Jorge · ‎11-24-2015

We have 2 trustpoints: one related to Entrust (an well-known CA for browsers) and another related to a customer internal CA.

Customer consider two VPN groups: one group for internal users and another group for partner/3rd party users.

Internal users must use machine-certificate for VPN autentication. For this task, we are considering "authentication by certificate" in webvpn section in tunnel-group, as usual.

We have configured "ssl trust-point" linked do internal CA trustpoint and all internal users have internal CA certificate both in theirs browsers as so as related to their machine-certificate.

Partner/3rd party users don't need to use certificate for authentication, only user/password login.

But they are facing hard work to install anyconnect from ASA in their personal machines due to initial certificate connection with ASA (probably that first step when connecting via browser and internal CA is untrusted). Remember that ASA consider internal, not well-known CA for browsers, SSL certificate assigned to Internet interface.

Entrust certificate/trustpoint is configured, but not used or assigned to anything in firewall.

Question is: is there any way to assign internal truistpoint for internal customer users for VPN machine authentication and use Entrust trustpoint for partner/3rd parties install correctly anyconnect via browser?

What I've found so far: one firewall interface only can have one ssl trustpoint assigned.
Is there any other way I could not see so far?

Regards

Christian

Christian Jorge · ‎11-24-2015

Complementing my last post...

Considering this old forum post:
https://supportforums.cisco.com/discussion/11762861/webvpn-anyconnect-same-asa-interface-different-cas

and rebuilding my question:

Is it really possible authenticate differente anyconnect VPN sessions by firewall trustpoints different that one assigned to "ssl trust-point" in Internet interface?

VPNs are already in production so I can't lose my shot testing blindly.

Regards

Christian

nolanrumble · ‎07-28-2016

Hi All,

Just wondering if this problem was ever solved?

Thanks

Nolan

VPN Anyconnect not connecting using certificates