SSL VPN on ASA5500 using CAC (smartcard)

Unanswered Question
May 21st, 2007
User Badges:

I've completed the configuration of an ASA5500 to support certificate authentication of DoD CACs and have everything working properly though I have an annoyance that I would like to fix:

When a client attempts to establish an SSL VPN Session using their CAC (smartcard) they are prompt twice to select a certificate if they have the SSL client installed, if they don't they get prompted THREE times to select a certificate.

All this seems rather inane and from a user perspective annoying. So my questions are:

1. Can the ASA be configured to use their first selected certificate from there on?

2. Can the SSL VPN Client be configured to select the appropriate certificate automatically?

3. If 1 and 2 are no, then how can I eliminate the excessive certificate prompts?

I would very much like to move away from bandwidth heavy IPSEC connections and be able to utilize the SSL VPN solution, though this simply isn't simple enough for my clients.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
didyap Mon, 05/28/2007 - 11:21
User Badges:
  • Silver, 250 points or more

To enable ASA 5500 support for the DoD Common Access Card (CAC) when it is integrated with Active Directory (AD) to provide Smart Card Logon.


This Discussion