ASA 5510 SSL VPN using Certificate authentication

Unanswered Question
Oct 26th, 2009
User Badges:

Tried configuring SSL VPN using Certificate authentication using a Microsoft CA server. Truspoint created and mapped to SSL VPN. While connecting the SSL VPN getting certificate validation failure.Please find the error screen shot attached



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Mon, 10/26/2009 - 13:15
User Badges:
  • Cisco Employee,

Get the syslogs + output of "debug crypto ca 10" at the time of a failing authentication attempt, that should give the reason for the failure.

If you need help interpreting the debug output then please post it here along with "show cry ca cert" and a copy of the client cert (just the cert, not the private key).


hth

Herbert

kamalakannan1k Tue, 10/27/2009 - 06:16
User Badges:

HiThanks for your reply


I have attached the syslog and show crypto ca cert.There was no debug output for debug crypto ca 10


My question is what certifcate is required for the client to get connected to SSL VPN, you can check the certificate attached.



Attachment: 
allen.malanda_2 Mon, 05/09/2011 - 07:48
User Badges:

Hello,


I am experiencing the same issue. We have more than 1000 users on Cisco AnyConnect VPN using aaa and certificate for authentication. I get certificate validation failure even after I download a new user certificate in the client machine. I would love to know the solution for this issue.


Thanks,

Herbert Baerten Tue, 05/10/2011 - 00:53
User Badges:
  • Cisco Employee,

@ kamalakannan1k : I'm very sorry, it looks like I never saw your update to this thread (maybe something went wrong with the notification email...). FWIW, it looks like your problem was that you did not import the CA certificate on the ASA.


@allen.malanda : your problem may or may not be the same, I would suggest to check the same command to start with, i.e. "show cry ca cert" should show you both a "Certificate" (the ASA's "server" certificate) as well as the CA certificate (i.e. the certificate of the CA that issued the client certificates).


hth
Herbert

Actions

This Discussion