ASA SSL VPN with client certificates from external CA

Unanswered Question
Dec 2nd, 2009

Hi all,

I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.

I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint")  to the outside interface.

Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":

ewaFormSubmit_webvpn_login: tgCookie = 0
ewaFormSubmit_webvpn_login: cookie = c98f3940
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!
Embedded CA Server not enabled. Logging out the user.

So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?

Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".

Some highlights from the config:

crypto ca trustpoint
enrollment terminal
keypair company
crl configure
crypto ca trustpoint ASDM_TrustPoint0
revocation-check crl none
enrollment terminal
crl configure
  no enforcenextupdate
  no protocol ldap
  no protocol scep
crypto ca trustpoint
revocation-check crl
enrollment terminal
no client-types
crl configure
crypto ca certificate chain
certificate 02
    30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030
    <snipped rest of cert>
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 00e2a6f08003ded6c9
    3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886
    <snipped rest of cert>
crypto ca certificate chain
certificate ca 00e2a6f08003ded6c9
    3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886
    <snipped rest of cert>

ssl encryption aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point outside vpnlb-ip
ssl trust-point outside
ssl certificate-authentication interface outside port 1443
port 1443
enable outside
dtls port 1443
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc enable

group-policy DenyGroup internal
group-policy DenyGroup attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
group-policy DfltGrpPolicy attributes
dns-server value
vpn-simultaneous-logins 1
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnel_company_networks
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAPUsers
default-group-policy DenyGroup
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication certificate

I've been trying different combinations of options for this and starting to pull my hair out. Any hints would be appreciated!
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Wed, 12/02/2009 - 06:31


debug crypto ca 255

debug crypto ca mess 255

debug crypto ca trans 255

show crypto ca cert

And be sure to check the clock on the ASA, make sure the date is correct and that your client cert is not expired.



basissmart Thu, 12/03/2009 - 03:25

Hi Herbert,

With these debug settings on, I did not get any log messages when trying to connect.

'show crypto ca cert' shows the two expected certs (the ASA's identity cert and the CA certificate).

Both ASA and client clocks are correct and synced to the same NTP server.

Note that we are not using the ASA's local CA functionality - it doesn't work in a failover configuration. So we run our own CA seperate from the ASA box and want the ASA to verify that connecting clients have certs signed by this CA.


rcullum Wed, 01/27/2010 - 06:50

You need to import the CA certificate into your ASA that signed your client certificate. Then tick the option Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles 'Require client certificate'. Then in your connection profile choose auth method as AAA as you are not doing cert auth. When you connect to ASA with your IE browser, you should be prompted to choose a client certificate to use for your connection to the ASA. I don't think this works for Firefox as it won't have access to your Windows certificate store. The ASA should look through all its CA trustpoints to find one that matches the CA that signed your client cert, thereby validating your identity. I have only tried this with a Windows user certificate, not a machine certificate.

padair000 Wed, 01/27/2010 - 11:07


   I am having the same problem as Snorri.  I have tried what you suggest, and it works but without requiring the cert.  I logged in from an isolated outside machine, and when it asked for a certificate I just hit cancel, as I had none.  Then it gave me the login screen, and once I logged in using AAA, I was given the ssl vpn homepage.


   have you recieved any help on this.  I have contacted cisco, but the person helping me is just stabbing in the dark it would appear.  As RCULLUM says, the ASA should check all of its CAs first.


rcullum Fri, 01/29/2010 - 01:39

As a possible interim workaround, create a new ssl vpn connection profile and  assign a new group policy to it. Use the Configuration > Remote Access VPN > Advanced > Certificate to SSL VPN Connection Profile Maps to map an attribute from your client cert to the new ssl vpn connection profile/policy. On the DfltGrpPolicy, set Simultaneous logins=0 which will stop any sessions.

If you don't select/have a client cert, you should get mapped to the DefaultWEBVPNGroup connection profile which uses policy DfltGrpPolicy.

If you have a cert, the attribute mapping should assign you the  new connection profile & policy.

padair000 Wed, 02/10/2010 - 14:14

RCULLUM, what I found through a long session with cisco was that I was using the wrong type of certificate.  Even though the identity cerftifcate I uses was from the ipsec offline template, the client could not submit such a cert for an SSL vpn.  The certificate could only be a user certificate, as  given in the microsoft templates.  If the ASA saw that the certificate was good for ipsec useage it would reject it.  At least that is what the cisco person told me.  By placing the user cert on the usb token everything seems to work now.  I had one additonal problem though.  That is if someone without a valid certificate tries to access the gateway they are given a logon prompt.  No logons work, but I would prefer them not be given any inormation if they do not have a certificate.  Ideally I would like something like a 404 error.

rcullum Thu, 02/11/2010 - 05:21


Try enabling CSD Windows Location Settings and do a pre-login check. Do a check for a Certificate attribute. If user doesn't have that attribute, I think ASA will reject the connection before the login prompt appears.

DANIEL FERREIRA Thu, 07/15/2010 - 10:04


It is possible authenticate the machine and permit only access to users in AD but from specific machine. 

You done the authentication with a user certificate but it is possible to use a machine certificate?





This Discussion

Related Content