02-25-2008 02:18 PM
Hi,
I"m trying to setup the anyconnect client to use certificate authentication with asa 5510 running 8.0.
I would like to use windows CA to get signed certificates that could be used to authenticate the asa. The anyconnect client should have certs from windows domain that would match the root cert of signed asa.
Has anyone done a similar thing and would be able to provide me with some links or config samples.
I have SCEP working with the asa but don' can't seem to use that certificate for ssl, not sure why.
Thanks for any help in advance.
05-07-2009 08:49 PM
Hi Tom,
Were you able to resolve. This would appreciate a sample config ? I am also trying to get it working with Windows CA
05-08-2009 01:20 PM
You can use the following doc as a guide as the majority of the configuration will be the same. Please let me know what specific issues you are running into.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a2b93.shtml
05-08-2009 01:57 PM
I am using digital cert from Microsoft CA for machine authentication and the idea is if the machine cert is revoked the user should not be allowed to login. I get the following error
"certificate validation failure"
Any thoughts on troubleshooting or fixing is greatly appreciated. Secondly for machine authentication, the CA Server and the AD is on the LAN. Attached is also the design config.
I did look at multiple documents including this one, but will check this one again.
05-13-2009 04:32 PM
I am still getting certificate validation failure
CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=
12 7f 74 fe e6 d0 16 57 7d cd d7 78 ff da 61 ed | t....W}..x..a.
CRYPTO_PKI: Found cert in database.
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=
e5 40 0d f7 29 f3 4c 15 f1 68 1d 17 4f f2 c6 e2 | .@..).L..h..O...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Found a suitable authenticated trustpoint Main.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found
CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary
ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 741EA925000100001F46, subject name: ea=xx CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=
12 7f 74 fe e6 d0 16 57 7d cd d7 78 ff da 61 ed | t....W}..x..a.
CRYPTO_PKI: Found cert in database.
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=
e5 40 0d f7 29 f3 4c 15 f1 68 1d 17 4f f2 c6 e2 | .@..).L..h..O...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
The certificate is not getting automatically delivered via ASA from the MS-CA and therefore cannot import in the personal store.
08-17-2009 03:11 AM
I am looking at a very similar project. Did you resolve this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide