03-13-2013 12:08 PM - edited 02-21-2020 06:45 PM
Hello!
Is it possible to have both VPN options on the same interface but authenticated by means of two different certificate authorities?
We have Webvpn for Citrix integration doing fine with a Verisign signed certificate. We intend now to go ahead and use certificates for AnyConnect as well but using privately-issued certificates. We think there could be a problem already covered by this bug ID. CSCsk55139. Am I right? Is there a way of accomplishing this? Is it the only possibility to move to privately-issued certificates for both Webvpn and AnyConnect?
Any comments would be greatly appreciated.
Thanks
Guido
03-14-2013 06:49 AM
Hi
You can only have one certificate per interface, but this certificate is not the one used for authentication though
For AnyConnect / WebVPN certification authentication, all you have to do is to install as many CA certificates as needed, then you could create two connection profiles as following:
tunnel-group AnyConnect webvpn-attributes
authentication certificate
!
tunnel-group WebVPN webvpn-attributes
authentication certificate
So, when the client tries to connect to the AnyConnect profile with the correct client certificate, the ASA looks for a valid CA certificate to validate the client's certificate.
The same will happen for the WebVPN users.
Let me know if you have any further questions.
Portu
Dont forget to rate any helpful posts.
03-15-2013 01:43 PM
Hello Javier! Thank you for taking the time.
Though we haven´t tried this yet, and since the ASA is not going to act as a client, is it safe to remove the certificate-to-interface bond?
Thanks again!
I look forward to rating your answer 5 stars.
Guido
03-15-2013 01:46 PM
Hi Guido,
May I know what you mean by "since the ASA is not going to act as a client, is it safe to remove the certificate-to-interface bond?" ?
Thanks
03-15-2013 02:23 PM
Hi Javier
I think I messed up things.
I meant the trustpoint assigned to an interface by means of the command (config)# ssl trust-point name interface-name.
I was thinking of the ASA as a client for certificate-based ASA-initiated vpns.
Anyways, could this prevent other trustpoints to authenticate clients terminating on an interface bound to a certain trustpoint?
Thanks!!
Guido
03-15-2013 06:50 PM
Thanks Guido :)
You are right, other Trustpoints used for SSL authentication or even IPsec will not be affected.
Remember that the SSL trustpoint applied on the interface is not used for SSL authentication.
Portu
04-03-2013 07:02 AM
Hi Javier
Thank you for your time. I haven´t had the chance to try this yet. I wanted to thank you and to let you know that I´ll post the results and rate your valuable help.
Thanks again.
Guido
06-10-2013 02:01 PM
Hi Javier
I don’t know if you’re still out there.
I went back to this and realized that without "ssl trust-point
I understand that the certificate on the interface may not be the one used for authentication but without this command, and this command alone, the ASA presents different credentials. For this test, there is a single trustpoint, single tunnel-group, single everything. With this command on, the vpn comes up right away. Without it, a number of errors/warnings appear.
Do you have any suggestions? Is it the only option to authenticate both vpns with the same CA?
Thank you in advance and for your time already.
Guido
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide