Webvpn & AnyConnect on same ASA interface but different CAs.

ggalteroo · ‎03-13-2013

Hello!

Is it possible to have both VPN options on the same interface but authenticated by means of two different certificate authorities?

We have Webvpn for Citrix integration doing fine with a Verisign signed certificate. We intend now to go ahead and use certificates for AnyConnect as well but using privately-issued certificates. We think there could be a problem already covered by this bug ID. CSCsk55139. Am I right? Is there a way of accomplishing this? Is it the only possibility to move to privately-issued certificates for both Webvpn and AnyConnect?

Any comments would be greatly appreciated.

Thanks

Guido

Javier Portuguez · ‎03-14-2013

Hi

You can only have one certificate per interface, but this certificate is not the one used for authentication though

For AnyConnect / WebVPN certification authentication, all you have to do is to install as many CA certificates as needed, then you could create two connection profiles as following:

tunnel-group AnyConnect webvpn-attributes

authentication certificate

!

tunnel-group WebVPN webvpn-attributes

authentication certificate

So, when the client tries to connect to the AnyConnect profile with the correct client certificate, the ASA looks for a valid CA certificate to validate the client's certificate.

The same will happen for the WebVPN users.

Let me know if you have any further questions.

Portu

Dont forget to rate any helpful posts.

ggalteroo · ‎03-15-2013

Hello Javier! Thank you for taking the time.

Though we haven´t tried this yet, and since the ASA is not going to act as a client, is it safe to remove the certificate-to-interface bond?

Thanks again!

I look forward to rating your answer 5 stars.

Guido

Javier Portuguez · ‎03-15-2013

Hi Guido,

May I know what you mean by "since the ASA is not going to act as a client, is it safe to remove the certificate-to-interface bond?" ?

Thanks

ggalteroo · ‎03-15-2013

Hi Javier

I think I messed up things.

I meant the trustpoint assigned to an interface by means of the command (config)# ssl trust-point name interface-name.

I was thinking of the ASA as a client for certificate-based ASA-initiated vpns.

Anyways, could this prevent other trustpoints to authenticate clients terminating on an interface bound to a certain trustpoint?

Thanks!!

Guido

Javier Portuguez · ‎03-15-2013

Thanks Guido :)

You are right, other Trustpoints used for SSL authentication or even IPsec will not be affected.

Remember that the SSL trustpoint applied on the interface is not used for SSL authentication.

Portu

ggalteroo · ‎04-03-2013

Hi Javier

Thank you for your time. I haven´t had the chance to try this yet. I wanted to thank you and to let you know that I´ll post the results and rate your valuable help.

Thanks again.

Guido

ggalteroo · ‎06-10-2013

Hi Javier

I don’t know if you’re still out there.

I went back to this and realized that without "ssl trust-point " the ASA presents a certificate with it’s IP as the cn field. With the "ssl trust-point " command, the certificate presented has the correct information. After struggling with the certificate containers, the vpn comes up ok but since I also have a webvpn with a previous "ssl trust-point ", I’m not sure if I’ll be able to set up both.

I understand that the certificate on the interface may not be the one used for authentication but without this command, and this command alone, the ASA presents different credentials. For this test, there is a single trustpoint, single tunnel-group, single everything. With this command on, the vpn comes up right away. Without it, a number of errors/warnings appear.

Do you have any suggestions? Is it the only option to authenticate both vpns with the same CA?

Thank you in advance and for your time already.

Guido